AUTHENTICATED , 
US. GOVERNMENT 
INFORMATION ^ 


S. Hrg. 107-1151 

NEED FOR INTERNET PRIVACY LEGISLATION 


HEARING 

BEFORE THE 

COMMITTEE ON COMMERCE, 
SCIENCE, AND TRANSPORTATION 
UNITED STATES SENATE 

ONE HUNDRED SEVENTH CONGRESS 

FIRST SESSION 


JULY 11, 2001 


Printed for the use of the Committee on Commerce, Science, and Transportation 



88-997 PDF 


U.S. GOVERNMENT PRINTING OFFICE 
WASHINGTON : 2006 


For sale by the Superintendent of Documents, U.S. Government Printing Office 
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC area (202) 512-1800 
Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001 


SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION 
ONE HUNDRED SEVENTH CONGRESS 
FIRST SESSION 


ERNEST F. HOLDINGS, South Carolina, Chairman 
DANIEL K. INOUYE, Hawaii JOHN McCAIN, Arizona 


JOHN D. ROCKEFELLER IV, West Virginia 

JOHN F. KERRY, Massachusetts 

JOHN B. BREAUX, Louisiana 

BYRON L. DORGAN, North Dakota 

RON WYDEN, Oregon 

MAX CLELAND, Georgia 

BARBARA BOXER, California 

JOHN EDWARDS, North Carolina 

JEAN CARNAHAN, Missouri 

BILL NELSON, Florida 


TED STEVENS, Alaska 
CONRAD BURNS, Montana 
TRENT LOTT, Mississippi 
KAY BAILEY HUTCHISON, Texas 
OLYMPIA J. SNOWE, Maine 
SAM BROWNBACK, Kansas 
GORDON SMITH, Oregon 


PETER FITZGERALD, Illinois 
JOHN ENSIGN, Nevada 
GEORGE ALLEN, Virginia 


Kevin D. Kayes, Democratic Staff Director 
Moses Boyd, Democratic Chief Counsel 
Mark Buse, Republican Staff Director 
Jeanne Bumpus, Republican General Counsel 


(H) 



CONTENTS 


Page 

Hearing held on July 11, 2001 1 

Statement of Senator Allen 7 

Statement of Senator Boxer 8 

Prepared statement 9 

Statement of Senator Burns 29 

Prepared statement 29 

Statement of Senator Carnahan 9 

Statement of Senator Cleland 58 

Statement of Senator Edwards 51 

Statement of Senator Ensign 60 

Statement of Senator Hollings 1 

Prepared statement 2 

Article, dated July 9, 2001, entitled. Confusing Privacy Notices Leave 

Consumers Exposed, from USA Today 50 

Statement of Senator Inouye 5 

Prepared statement 5 

Statement of Senator Kerry 55 

Statement of Senator McCain 3 

Statement of Senator Nelson 10 

Statement of Senator Rockefeller 10 

Statement of Senator Wyden 6 

Witnesses 

Brondmo, Hans Peter, Author, “The Engaged Customer” and Netcentives, 

Inc. Fellow 68 

Prepared Statement 70 

Cate, Fred H., Professor of Law, Indiana University School of Law 18 

Prepared Statement 20 

Catlett, Jason, President and CEO, Junkbusters Corp 77 

Prepared Statement 79 

Misener, Paul, Vice President, Global Public Policy, Amazon.com 73 

Prepared Statement 75 

Rotenberg, Marc, Executive Director, Electronic Privacy Information Center ... 12 

Prepared Statement 14 

Rubinstein, Ira, Associate General Counsel, Electronic Commerce Policy, 

Microsoft Corporation 82 

Prepared Statement 84 

Schwartz, Paul M., Professor of Law, Brooklyn Law School 30 

Prepared Statement 31 

Seagraves, Les, Vice President and Chief Privacy Officer, EarthLink, Inc 64 

Prepared statement 65 


(III) 




NEED FOR INTERNET PRIVACY LEGISLATION 


WEDNESDAY, JULY 11, 2001 

U.S. Senate, 

Committee on Commerce, Science, and Transportation 

Washington, DC. 

The Committee met at 9:30 a.m., in room SR-253, Russell Sen- 
ate Office Building, Hon. Ernest F. Hollings, Chairman of the Com- 
mittee, presiding. 

OPENING STATEMENT OF HON. ERNEST F. HOLLINGS, 

U.S. SENATOR FROM SOUTH CAROLINA 

The Chairman. We will commence the hearing with regard to 
Internet privacy, and I will file my statement. Let me summarize, 
because we need a sense of history. 

The Congress has been front and center over the years with re- 
spect to protecting the people’s privacy. We had the Federal Wire- 
tap Act of 1968, the Credit Reporting Act of 1970, the Privacy Act 
of 1974; I authored the Cable Act of 1984 and heard some of the 
same misgivings by industry at the time. It has worked extremely 
well; the Video Privacy Protection Act of 1988; and of course, for 
what we are discussing for adults, we have got the Children’s On- 
line Privacy Act of 1998, all working extremely well. There is a 
question raised even again on Monday about the Financial Services 
Privacy Provisions, as to their effectiveness, in USA Today. 

Otherwise, on the subject itself, the Federal Trade Commission 
has been toying with it for over 5 years. We have got listed here 
in our notes some nine hearings whereby they finally concluded 
after trying all the voluntary approaches, they recommended legis- 
lation. We now find a very interesting report that just came out 
from the Schwab Capital Markets on the Internet, and let me just 
quote this: 

“We disagree with corporate claims that a technology-neutral, selective opt- 
in mandate would likely make targeted marketing products prohibitively expen- 
sive to deploy or reduce the overall margins and profitability of advertisers. We 
also disagree that opt-in consent would have a substantial disruptive impact on 
the Internet in general. In our view, the experience of online opt-in consent 
business models suggests that the consumers can be enticed to provide personal 
and nonpersonal information at relatively little cost to web sites. We believe 
that the additional cost to entice people to opt in are likely to be overshadowed 
by the increase in revenues.” 

That is the best of the best business analysts. And, finally, of 
course, we are sort of behind the curve in the sense that the Euro- 
peans have moved forward with their safe harbor provision, and 
some would say, “Well, they haven’t enforced it”. It just got in in 
the last 2 years. We have got 12 of the 15 states now complying, 

( 1 ) 



2 


but more than anything else, those in the business thinks it is 
going to be enforced, so they have filed and met compliance: Micro- 
soft, Intel, Hewlett-Packard. We can go right on down the list. 

So while we are wondering whether it is wise to require of Amer- 
ican entities such as Microsoft, it is already being required, com- 
plied with, and they are happy in Europe. 

[The prepared statement of Senator Rollings follows:] 

Prepared Statement of Hon. Ernest F. Holdings, 

U.S. Senator from South Carolina 

Well — to quote former President Reagan — here we go again. Today the Commerce 
Committee will hold its first hearing on Internet privacy. It is past time for action 
on this issue, and I intend to introduce and report legislation to the full Senate be- 
fore the end of this session. 

Last year, after five years of diligent study, the Federal Trade Commission rec- 
ommended that Congress pass Internet privacy legislation that reflects the time- 
honored fair information practices of notice, consent, access, and security. This rec- 
ommendation was particularly credible in light of the FTC’s record of extensive 
analysis on this issue and its two prior recommendations to allow self-regulation a 
chance to work. Where did self-regulation get us? Nowhere. As Business Week stated 
last year, “self regulation is a sham.” 

According to former FTC chairman Robert Pitofsky, “some sites bury your rights 
in a long page of legal jargon so its hard to find them and hard to understand them 
once you find them. Self-regulation that creates opt-out rights that cannot be found 
or understood is not really an acceptable form of consumer protection.” Look no fur- 
ther than your mailbox to see that this is the case. 

Pursuant to the Gramm-Leach-Bliley financial privacy rules, Americans have 
been receiving literally billions of notices in the mail alerting tbem that they can 
opt-out of the sharing of their personal financial information by financial institu- 
tions with third parties. These notices make a mockery of the claim that notice and 
opt-out provides sufficient protection. 

Let me quote from the cover letter accompanying one of these notices: 

“We recognize that privacy is a very sensitive and important matter . . . 
[and] adhere to strict standards of security, confidentiality, and privacy with re- 
gard to consumer information ... if you are comfortable with [our] handling 
of information we collect, you do not need to take any action at this time.” 

That sounds pretty good, your information appears to be safe and private. But the 
attached notice informs you that the company: 

“Reserves the right to share all information we collect . . . [including with] 
financial service providers, mortgage-bankers-brokers, securities broker dealers, 
indirect loan originators, correspondent lenders, transaction processors, insur- 
ance agent/companies, . . . retailers, others, such as non-profit organizations.” 
Taken together, the cover letter and the attached notice are in direct conflict and 
are deceptive. Quite clearly, this is concrete evidence of why opt-out doesn’t work. 
And, if it won’t work when they mail you the notice, it certainly won’t work on the 
Internet when the notice is buried behind a link at the bottom of a web page. 

Clearly we need legislation that requires notice, affirmative consent, reasonable 
access, and reasonable security to protect individuals online. Such an approach 
would not represent, as industry contends, a dangerous and unprecedented regula- 
tion of the Internet, but rather, a logical extension of existing privacy laws to this 
new medium. Congress has enacted numerous statutes to protect the privacy of tele- 
phone customers, cable subscribers, video renters, and credit card customers. The 
Internet should be no different. 

Poll after poll indicates that the public wants this level of protection. Advances 
in technology have provided information gatherers the tools to seamlessly compile 
and enhance highly detailed personal profiles and histories. Moreover, news reports 
regularly inform us of privacy breaches of sensitive information on the Internet. 

Last week, we learned that Eli Lilly inadvertently disclosed a list of hundreds of 
customers suffering from depression, bulimia, and obsessive compulsive disorder. Eli 
Lilly’s response? An apology, and a promise it won’t happen again. A year ago, the 
New York Times reported that 19 of the top 21 health sites on the Internet had pri- 
vacy policies but “failed to live up to promises not to share information with third 
parties.” 



3 


Obviously, fears about privacy are preventing the Internet from reaching its full 
potential. Some studies indicate that as many as 20 percent of all Internet users 
give false information online to protect their privacy. But there is a solution — pri- 
vacy protection. Enacting privacy legislation will enhance consumer confidence in 
the medium and boost e-commerce. Forrester Research estimates that as much as 
$12 billion in online sales are lost annually due to concerns over privacy. We can 
change that. 

As for industry claims that opt-in kills the Internet, they are just whistling Dixie. 
For example, a recent Arthur Anderson survey reported that 74 percent of people 
will be happy to opt-in to share their personal marketing information, if they believe 
they will receive something in return. 

Some forward thinking companies already know this. The New York Times, 
Microsoft, Intel, Hewlett Packard, Expedia, Alta Vista, and Earthlink all provide 
opt-in protection, reasonable access to personal information that has been collected, 
and reasonable security for that information. Moreover, I note that some of these 
companies, Microsoft, Intel, Hewlett Packard, and one of the largest data collection 
companies — Axciom — have all signed on to the EU Safeharbor, which requires no- 
tice, opt-in for sensitive information, access and security. 

If they can do it, we can legislate it — by establishing Federal standards that cod- 
ify these “best practices.” and, if we couple that privacy protection with preemption, 
which I am always cautious about. Congress can foster business certainty and con- 
sumer confidence and allow the Internet to flourish. 

I want to put to rest fears that somehow legislation will shackle the Internet. The 
experts know that is not true. John Chambers of Cisco systems predicts that by 
2010, a quarter of the world’s global commerce will be conducted on the Internet. 
And Forrester Research group predicts that over $180 billion in online sales will 
occur by 2004. No legislation could ever stop, stifle, or thwart this inevitable 
progress. 

I look forward to working with my colleagues on this committee to craft legislation 
in this area. Last Congress, nearly a majority of the Committee cosponsored legisla- 
tion in this area. This year lets finish the job. 

The Chairman. Let me yield to my distinguished former chair- 
man. 


STATEMENT OF HON. JOHN McCAIN, 

U.S. SENATOR FROM ARIZONA 

Senator McCain. Thank you very much for reminding me, Mr. 
Chairman. 

[Laughter.] 

Senator McCain. I want to thank you, Mr. Chairman, for holding 
this hearing. The advent of network computers and developments 
like broadband television and wireless location technology make it 
much easier for businesses to track and to trade information about 
consumers’ transactions, whereabouts, and preferences. For all the 
benefits that consumers derive from the customized services that 
this flow of information provides, surveys continue to show that 
Americans are concerned and should be concerned about their on- 
line privacy. 

Last year. Members of Congress responded to these concerns by 
introducing various bills to restrict online collection, use, and dis- 
closure of personal information. Three of these bills were intro- 
duced by members of this very Committee and referred here. While 
the bills were similar, they all addressed the elements of the Fair 
Information Practices: notice; choice; access; and security. They 
also differed considerably in what they prescribed. 

With respect to consumer choice, for example, the question of 
whether the law should provide the consumer with either an opt- 
out or opt-in default was and remains an issue. Opt-out allows con- 
sumers’ personal information to be used unless otherwise indicated. 



4 


as opposed to opt-in, which prohibits the use of consumer informa- 
tion in the absence of affirmative consent. 

The difference is significant, considering that the vast majority 
of consumers probably will not change a default setting so that 
while consumers have choice under either regime, one significantly 
reduces the availability of personal information while the other 
does not. 

The bills also differed on whether or not companies should be re- 
quired to give the consumer access to all of the information gath- 
ered about them. Senator Kerry and I thought it would be unwise 
to mandate this, because it would require that separate pieces of 
information about an individual be gathered for the sole purpose of 
allowing a consumer to review them, and this would create a pro- 
file that might not otherwise be created. Moreover, a requirement 
that would allow consumers to access freely all data collected about 
them could compromise security and provide unintended con- 
sequences. 

We failed to resolve these differences last year. I hope we can 
this year, Mr. Chairman. Since then, there have been developments 
that will and should enter the debate over what kind of legislation 
is needed. Following the Committee’s hearings on online privacy 
last session, the Internet economy has continued to deflate, forcing 
companies to rethink their business models, and perhaps change 
the ways in which they collect and trade personal information. 

The demise of some dot-coms bodes both well and poorly for per- 
sonal privacy. On the one hand, the spate of dot-com bankruptcies 
and subsequent sale of customers’ personally identifiable informa- 
tion to pay creditors demonstrates that this data is a real asset and 
one that may not always be used in accordance with stated policies. 
On the other hand, with investment capital no longer available to 
keep companies with nonsensical or nonexistent business models 
afloat, companies that are going to survive will need to compete 
more robustly for customers, and customer-friendly privacy policies 
are a way to do this. 

The global implications of our information practices are also be- 
coming more evident. Within the past year, numerous countries 
with whose businesses we routinely share personally identifiable 
information with, have passed laws restricting the handling of in- 
formation about their citizens. 

In November of last year, the Department of Commerce began 
registering American companies for the safe harbor agreement that 
it had negotiated with the European Union. The agreement gives 
American companies that adhere to strict privacy practices a meas- 
ure of protection against enforcement of the European Union’s pri- 
vacy directive for the company’s handling in Europe or elsewhere 
of information about EU residents. 

Closer to home, since the Committee’s last hearing on online pri- 
vacy, final regulations controlling the use and disclosure of sen- 
sitive personal information regarding people’s health and finances 
have been adopted and gone into effect. Some have charged that 
the restrictions are inadequate, and others complain that they’re 
too onerous. Reacting to the characterization of the debate about 
privacy legislation is one that pits businesses against consumers. 
Since last year, a number of businesses have commissioned or pub- 



5 


lished studies purporting to show very significant costs, both the 
businesses’ and the consumers’, of restricting information flows. 

Developments in the online industry self-regulatory regime, 
spurred by threats of legislation and consumer concern, have also 
occurred since last year. Some companies have revised their infor- 
mation practices to provide better notice and choice to consumers. 
Third-party advertisers, like DoubleClick, who have in the past 
been perceived as the skunks in the privacy debate, say they have 
made it easier for consumers to stop these advertisers from track- 
ing their movements online. 

Companies have also developed a range of software tools that 
protect privacy by anonymizing or encrypting information. Later 
this year, Microsoft and, I am sure, other companies will offer soft- 
ware that can electronically read a web site’s privacy policy and 
compare the policy to the user’s preferences regarding the place- 
ment of cookies. 

In sum, these developments in foreign and domestic law as well 
as industry self-re^latory practices, should be considered as we 
debate the desirability of legislation to regulate businesses han- 
dling personal information. I remain convinced, Mr. Chairman, 
that a Federal law is needed. 

I applaud the Chairman for continuing and commencing this de- 
bate on this issue, and I look forward to hearing from our wit- 
nesses. I am sorry, Mr. Chairman, for the unusually long opening 
statement. This is a very, very important issue to all Americans, 
and I am very proud of your leadership and continued involvement 
in this issue. I thank you, Mr. Chairman. 

The Chairman. I appreciate it, and we are looking forward to 
working together and trying to get us a consensus built out of the 
Committee. 

Senator Inouye. 

STATEMENT OF HON. DANIEL K. INOUYE, 

U.S. SENATOR FROM HAWAII 

Senator Inouye. Thank you very much, Mr. Chairman. I wish to 
commend you for convening this hearing this morning on this very 
important topic of Internet privacy. 

Last year, I had the great privilege of co-sponsoring a measure 
that was authored by our Chairman, Senator Rollings, that I be- 
lieve provided an excellent template for protecting individuals on- 
line. This year, I hope we can report a similar bill out of the Com- 
mittee. 

With that, Mr. Chairman, I ask that my full statement be made 
part of the record. 

The Chairman. It will be included. 

[The prepared statement of Senator Inouye follows:] 

Prepared Statement of Hon. Daniel K. Inouye, U.S. Senator from Hawaii 

I am pleased the Senate Commerce Committee is holding this hearing today on 
the important topic of Internet privacy. Last year, I cosponsored legislation authored 
by our Chairman, Senator Hollings, that provided an excellent template for pro- 
tecting individuals online. This year, I hope we can report a similar bill out of Com- 
mittee. 

The Internet is too vast and complex to leave privacy protection to self-regulation. 
While many companies employ excellent practices, there are thousands upon thou- 
sands of web sites with inadequate privacy policies. Moreover, despite their best in- 



6 


tentions, every incentive lies with companies operating on the Internet to collect and 
profit from individuals’ personal information. 

If individuals are willing to consent to such practices if they believe they may re- 
ceive something of value in return, that is one thing. But most companies choose 
instead to set forth confusing, and misleading privacy policies that only offer Inter- 
net users an opportunity to “opt-out” of the collection and sale of their personal in- 
formation. 

Often times these opt-out policies are hard to read, hard to understand, and hard 
to find. To me that is not adequate consumer protection. That is why I believe we 
need to set forth a strong Federal standard — that is consistent with past laws on 
protecting privacy, for example in the Cable Act. There, cable operators were re- 
quired to get prior consent (“opt-in”) from subscribers before sharing information 
about individual subscriber viewing habits. This sensible rule has been on the books 
for seventeen years and it seems logical as a framework for use on the Internet. The 
Cable Act also requires that cable operators give consumers a right to access infor- 
mation that has been collected about them, and a right to seek damages in the 
event the law has been violated. 

The notion that such protections are somehow too regulatory is somewhat curious 
to me. We have always put a priority on protecting privacy. The Internet should be 
no different. 

I commend the Chairman for holding this important hearing. I look forward to 
our efforts in this area, and to the testimony of the witnesses today. Thank you. 

The Chairman. Senator Rockefeller. 

Senator Rockefeller. I have no statement. 

The Chairman. Thank you. 

Then Senator Wyden. 

STATEMENT OF HON. RON WYDEN, 

U.S. SENATOR FROM OREGON 

Senator Wyden. Thank you, Mr. Chairman. I will be brief. I just 
wanted to make a couple of points. First, Mr. Chairman I very 
much look forward under your leadership and working with Sen- 
ator McCain to producing a bipartisan bill. I think it is a doable 
proposition. Senator McCain touched on the fact that a variety of 
Committee members have legislation, but I think under your lead- 
ership, we can put together a bipartisan bill. 

It seems to me there are three or four key elements of consensus 
that the Committee can work around. First of all, I think it is clear 
that nobody on this Committee wants an Exxon Valdez of privacy. 
I mean, we cannot afford a disaster that would do enormous dam- 
age in terms of e-commerce and the private sector. 

Second, it seems to me that we all understand that people’s ex- 
pectations in this field are very high, particularly as it relates to 
their personal information, financial information and health infor- 
mation. I don’t think they want to put businesses through bureau- 
cratic water torture for what amounts to, you know, paperwork ex- 
ercises, but for their financial and personal information, the expec- 
tations are very high. 

The last point that I would make, Mr. Chairman, is that I think 
perhaps the key challenge involved in trying to put together a bi- 
partisan bill here involves the private sector in this country, and 
the question is really: Do they want one standard to govern the pri- 
vacy rules in this country, or do they want 50? This involves the 
Federal and state relationship, and it involves the question of 
whether the private sector is going to have the U.S. Congress come 
in and in some way preempt what the states and the various local- 
ities are doing. 



7 


My message to folks in the private sector is that if they want 
some measure of preemption, they have got to support a bill with 
meaningful privacy protection. There has got to be meaningful pri- 
vacy protection in order to have one standard rather than 50, and 
I think Senator McCain made a key point there. You have got to 
have those four elements of the Federal Trade Commission report 
in order to get over the bar that indicates you are for meaningful 
privacy protection, and I look to forward to working with you and 
our colleagues in getting it done. 

The Chairman. Thank you. 

Senator Allen. 

STATEMENT OF HON. GEORGE ALLEN, 

U.S. SENATOR FROM VIRGINIA 

Senator Allen. Thank you, Mr. Chairman, and thank you for 
holding this hearing. This is an issue of concern to myself and 
many others, and I do want to associate myself with the remarks 
of Senator McCain and Senator Wyden. There are a lot of very 
good ideas. I look forward to working with all members of this 
Committee. 

Senator McCain made a very good point on how the private sec- 
tor is addressing this in Microsoft’s PSP. Senator Wyden points out 
certain things that as we go forward with this, Mr. Chairman, I be- 
lieve that when you are talking about privacy, there may need to 
be different levels of security biased upon whether this is privacy 
dealing with health or whether it is finance, whether it may be 
consumer information. 

I do think that if we go into this, we need to make sure the regu- 
lations are reasonable, that they are not over-burdensome as far as 
the Internet. The question and the results will affect how we can 
have access to goods and services to access for information to the 
education of our children, and how we entertain our families. 

I will be guided by, I think, two principles here. One is that I 
believe that we should empower individuals, consumers, to make 
sure that they have the information necessary to be able to make 
a decision or a choice as to whether or not they want to enter into 
a specific site or not, and second, I think we need to encourage to 
the greatest extent possible reliable, credible self-regulation. 

Now, as far as the states are concerned, I am wondering very 
much the rights and prerogatives of the states. However, this is 
clearly interstate commerce, and I think to have a patchwork of li- 
abilities and rules would make it very, very difficult for business 
to know what rules and what liabilities they will have, and I do 
think that we need to be guided by certain principles, and they be 
nationwide in that regard. 

I also feel, Mr. Chairman, that we talk about privacy, but really 
this is an issue of security, and most people understand that inter- 
acting in a society, you are going to have share information, wheth- 
er it is on the Internet, whether it is credit cards, whether it is 
writing checks, whether it is answering a telephone call, whether 
having a telephone in your home, having a car registered. There is 
information being shared. 

People are concerned about what happens to that information 
when they voluntarily choose to reveal it, and I think that we 



8 


ought to make certain that the personal information that they 
share is secure and will not be misused or abused. 

So, Mr. Chairman, I thank you for bringing this very contentious 
issue. I have been analyzing all the bills that have been introduced 
before I became a member of the U.S. Senate, and Senator McCain 
certainly had an outstanding bill, from my perspective, last year. 
Senator Wyden also had — with Senator Burns had outstanding 
bills, and maybe there is a way we can come up with a bipartisan 
approach that empowers individuals, makes sure they are in- 
formed, makes sure they have the knowledge, but also trusts the 
private sector to the best that they all can react to this need to 
come up with standards that are credible and reliable. 

So thank you, Mr. Chairman. 

The Chairman. Thank you. Senator. 

Senator Boxer. 

STATEMENT OF HON. BARBABA BOXER, 

U.S. SENATOR FROM CALIFORNIA 

Senator Boxer. Mr. Chairman, I ask unanimous consent to place 
my statement in the record. I will briefly, briefly summarize. 

The Chairman. It will be included. 

Senator Boxer. First, let me also commend you for making this 
a top priority. Senator McCain did, and I think it is so necessary 
to clarify the nature of the problem we are trying to solve, the de- 
gree of harm that consumers are suffering or might suffer, and the 
appropriate response, the right response, to that harm. 

As a Senator from California, needless to say my deepest hope 
is that we can, in fact, reach consensus. This would be a tremen- 
dous thing, and I am really hopeful, given the nature of the com- 
ments here today, that we can do that. You have a record of doing 
that, and I certainly stand ready to do that. We want to address 
the consumer concerns, and we also want to help the Internet 
grow. We don’t want to stand in the way of that. This balance is 
crucial. 

Last year, I did work with Senators McCain and Kerry on their 
bill. I thought it was a balanced bill, but I stand ready to see if 
there are ways we can make that bill better and compromise and 
work with you, as long as we keep that basic goal of that balance 
between protecting the consumer and protecting the growth of the 
Internet, which I think is so key. 

Let me just make one last point. I know the issue of spamming 
is not part of this debate. We have other times to look at the 
spamming question. But really in many ways, the whole issue of 
spamming is a privacy issue. It is when you are hit with those mes- 
sages, so I trust that that also will move up on the agenda as some- 
thing very important. 

And, again, I look forward to working with you, your staff, and 
across party lines to reach a consensus on this. 

The Chairman. OK. Good. 

[The prepared statement of Senator Boxer follows:] 



9 


Prepared Statement of Statement of Hon. Barbara Boxer, 

U.S. Senator from California 

Mr. Chairman, thank you for calling this hearing on the increasingly important 
issue of privacy on the Internet. It is my understanding that this is only the first 
of a series of hearings we will hold on this issue this year. 

I commend you for making this issue a top priority. These hearings are necessary 
to help clarify the nature of the problem we are tr3dng to solve, the degree of harm 
consumers are suffering or stand to suffer, and the appropriate response to that 
harm. 

I believe that with your leadership, we will be able to work together on this com- 
mittee to find a policy solution that will respond to consumer concerns regarding 
their privacy on the Internet: and simultaneously help the Internet grow in the 
process. 

A number of us on this committee, including myself, have taken an interest in 
passing legislation to protect privacy on the Internet. Though we have some dis- 
agreement on how to achieve that goal, I believe this and other hearings will help 
us air those areas of disagreement and reach a consensus. 

I look forward to this hearing and working with you and your staff on this issue. 

The Chairman. Senator Carnahan. 

STATEMENT OF HON. JEAN CARNAHAN, 

U.S. SENATOR FROM MISSOURI 

Senator Carnahan. Thank you, Mr. Chairman. The issues before 
this Committee today illustrate the profound impact that the Inter- 
net is having on our lives. The Internet boom has changed the way 
we communicate with others and the way we receive information 
and the way in which we engage in commerce. This innovation, 
however, is still in the growth phase, and I do not think any of us 
can accurately predict how the Internet will continue to change and 
develop, or what its future applications might be. 

As the Internet has grown, though, so too have the concerns 
about the protection of personal privacy online. Such concerns have 
led to a debate about whether we should address online privacy 
through legislation, and if so, how that legislation should be craft- 
ed. I think that a number of key factors ought to be considered 
when assessing the need and the scope of online privacy legislation. 

Obviously understanding the nature of a user’s concern will be 
of paramount importance. I have seen survey data suggesting that 
a majority of Internet users in the United States have at least oc- 
casionally altered their online behavior because of privacy con- 
cerns. It is difficult to discern, however, the precise nature of Inter- 
net users’ privacy concerns. 

Are people worried primarily about identity theft? The security 
of their credit card or other sensitive information? Or are people 
uneasy about the collection of personal information being used for 
marketing purposes? We will need to identify exactly what causes 
Americans to alter their online behavior in order to respond appro- 
priately. 

I am an active user of the Internet. I surf the web to get my 
news and to conduct research and to shop, and I even occasionally 
bid on an auction. It is extremely important to me to know exactly 
what information a web site is collecting about me and how they 
will use that information and to whom that information will be dis- 
seminated. 

When considering legislation, we must also determine how our 
proposal will impact web sites and the companies who operate 
them. We must ensure that we don’t do anything that would stifle 



10 


future growth and innovation of the Internet, and we must con- 
sider the impact that new technological advancements may have on 
the dynamics of the issue. 

P3P, for example, has the potential to allow users to protect their 
own privacy by providing warnings about web sites that do not fit 
their privacy preferences. Innovations such as P3P may provide 
part of the solution to this problem. I believe that eventually a 
workable balance will have to be struck; a well-crafted legislative 
solution will set appropriate guidelines for web operators, one that 
will assuage users’ concerns and ultimately lead to a more wide- 
spread use of the Internet. 

And, finally, I think that Government should lead the way by ex- 
ample in terms of guaranteeing online privacy protections. The Of- 
fice of Management and Budget under President Clinton issued 
privacy guidelines for all Federal agencies’ web sites, but this 
should just be the start of the Government’s efforts. I am working 
with state and local officials in my state in an effort to ensure that 
Missouri is on the leading edge of protecting the privacy of its citi- 
zens. 

As we consider efforts to impose privacy guidelines on commer- 
cial web sites, I think it is imperative that Government dem- 
onstrate its commitment concurrently. Thank you, Mr. Chairman. 

The Chairman. Senator, you will find out what is collected in the 
next campaign. 

Senator Carnahan. I’m sorry? 

The Chairman. I say, you will find out what they have collected 
in the next campaign. 

Senator Carnahan. Oh, yes, sir. 

The Chairman. You said you wondered what. 

Senator Ensign. 

Senator Ensign. No. 

The Chairman. Thank you. 

Senator Nelson. 

STATEMENT OF HON. BILL NELSON, 

U.S. SENATOR FROM FLORIDA 

Senator Nelson. Mr. Chairman, I just want to say what a pleas- 
ure it is to be a new member of this Committee. I am looking 

The Chairman. Delighted to have you. 

Senator Nelson. I am looking forward very much to serving 
under your leadership and Senator McCain’s leadership, and this 
is a great privilege for me. 

The Chairman. Thank you very much. 

Senator Rockefeller. 

STATEMENT OF HON. JOHN D. ROCKEFELLER IV, 

U.S. SENATOR FROM WEST VIRGINIA 

Senator Rockefeller. Mr. Chairman, I hadn’t planned on 
speaking, but I wanted just to make two points. Number one, there 
has been this very interesting sort of cross-relationship of we want 
to protect privacy, but we don’t want to do anything to prevent 
Internet growth, and it strikes me that when you are talking about 
jobs in the environment, you run into this kind of thing. 



11 


I mean, people always say, “Well, we can’t protect jobs and envi- 
ronment,” and that is often the case and sometimes it isn’t. Some- 
times it just isn’t. Sometimes you have got to decide you are going 
to go this way or you are going to go that way. And it may be that 
this is one of those issues. 

Some here have talked about — ^you know, I am very strongly for 
privacy, but we can’t have any Internet regulation; we have got to 
let them do it themselves. I have to tell you that I have a very 
smart legislative assistant who just went through my recent com- 
puter stuff with Windows cookies, and, you know, I am highly of- 
fended by what I have in front of me, which is basically everything 
that I have looked at, not just including what I have looked at, but 
also the advertisements that came on while I was looking at some- 
thing. 

Now, it is all listed right here. This just a few days, and I don’t 
like it, and it holds out to me the possibility of being watched. Now, 
I consider myself reasonably — I use that word carefully — reason- 
ably sophisticated when it comes to the use and knowledge about 
technology. I work on these things hard as the Chairman knows. 
But I had no idea that I could get this. I knew that there were 
cookies around and there were other things around that could say 
where I was and what I was doing and, you know, it is sort of like 
using a cell phone. The advantage is nobody knows where you are 
calling from, and all of a sudden this comes up and says, “Well, 
they know exactly where you are calling from, what you are going 
to do, what you want”. 

And I consider this mildly dangerous. During the course of the 
questioning, I am going to be rather careful to ask people why they 
think that we passed nine pieces of privacy legislation. You men- 
tioned a number of them, Mr. Chairman, aimed at everything from 
telephones, credit cards, to children over a number of years, and 
yet we allow this to go on, where virtually anything — my life, my 
disposition, my nature, my character, all of it is just sitting here 
for anybody to see and, in fact, print out. So this is going to be an 
interesting hearing. 

The Chairman. And, in fact, sell. 

Senator Rockefeller. And sell. 

The Chairman. That is right. Very good. I think that is all our 
colleagues, and we appreciate their attendance. 

Mr. Marc Rotenberg, the Executive Director of Electronic Privacy 
Information Center; Fred Cate of Indiana University School of 
Law; and Dr. Paul Schwartz, professor of law at the Brooklyn Law 
School, please come forward. 

The Committee has received these statements, and they will be 
included in the record in their entirety, but with the attendance 
here this morning and the other important panel that we have, we 
will ask that you try to summarize within 5 minutes or a little bit 
more as best you can, and like I say, the full statements will be 
included in the record. 

Mr. Rotenberg. 



12 


STATEMENT OF MARC ROTENBERG, EXECUTIVE DIRECTOR, 
ELECTRONIC PRIVACY INFORMATION CENTER 

Mr. Rotenberg. Thank you very much, Mr. Chairman. I would 
like to thank you and the other members of the Committee for 
holding this hearing today. I think over the last few years, there 
have been few Committees in Congress that have paid closer atten- 
tion to the privacy issue than the Senate Commerce Committee, 
and I would like to thank you very much for your continued work 
on this matter. 

There are very few issues today also in the United States where 
people seem to feel more strongly than on the matter of personal 
privacy. In poll after poll, the public has made clear that it is con- 
cerned about the loss of its privacy, and it believes that it is appro- 
priate and necessary for the Government to act. This support is 
found across both political parties, across all demographic groups. 

One poll finds that 86 percent of Internet users favor opt-in pri- 
vacy policies. According to Business Week, three times as many 
Americans favor government action on the privacy front over indus- 
try self-regulation. And perhaps the most interesting poll is the one 
recently released by the Gallup organization, which found that not 
only 66 percent of Internet users believe that the Federal Govern- 
ment should act, but support for privacy legislation increased in 
proportion to the activity and experience of Internet users. 

In other words, the more people used the Internet, the more they 
became dependent on the Internet for their business work, for their 
private communications, for the type of information sharing and 
exchange that has become increasingly common, the more they felt 
it was appropriate to pass privacy legislation. And in many ways, 
this is not surprising. 

If you look at the tradition of the development of privacy law in 
the United States, you will see, in fact, that Congress has typically 
passed privacy legislation when new communication services and 
new commercial environments have been created. This was true in 
1934 when privacy protection was established for telephone service. 
It was true in 1984 when privacy protection was established for 
cable service. 

Legislation promotes public confidence and trust. It rewards good 
business practice. It helps create new market places and new eco- 
nomic opportunities where consumers are given the assurance that 
their personal information will not be misused. 

I think the key question at this point, Mr. Chairman and mem- 
bers of the Committee, is how to pass good privacy legislation, how 
to get a bill done that will contain the key elements that will make 
privacy workable in the online environment. Now, in my statement, 
I have outlined what I believe to be those key elements. I also pub- 
lish a book that contains U.S. privacy law, and I will briefly sum- 
marize what I think is necessary to make privacy legislation work. 

I think the key point, first of all, is that organizations have to 
be open and accountable in the collection and use of personal infor- 
mation. This is more than just having a privacy policy. It is more 
than just telling people. This is what we will do with your personal 
information. Individuals need to have the ability to see that infor- 
mation, see how it is used and who it is shared with others. 



13 


That’s the approach that was taken, for example, not only with 
credit reports, but interestingly also in the Cable Act of 1984, 
which says quite clearly that cable subscribers have the right to 
“access all personally identifiable information regarding the sub- 
scriber collected and maintained by a cable operator.” That right of 
access is key to public confidence in understanding how the per- 
sonal information that they provide to business will subsequently 
be used. 

I think it is also important in a good privacy bill to have a pri- 
vate right of action. This is the approach that was taken not only 
in the Cable Act but in the Video Privacy Protection Act and the 
Telephone Consumer Protection Act. Virtually every privacy bill 
that has been done by the U.S. Congress gives individuals the op- 
portunity to receive a small award — we are not talking about exor- 
bitant fees here; we are talking about $500 or $2,000 — when they 
are able to establish that their personal information was misused 
in violation of Federal law. 

Now, on the critical issue of preemption — and I know this is a 
difficult issue, because, of course, it is quite attractive from the 
business side to say, “How can we be expected to comply with 50 
different state standards”; that seems to us an unreasonable bur- 
den, and I think we are sensitive to that concern. 

But I would like to make two points in response. First of all, the 
tradition in this area, what has been done in the past with Federal 
privacy legislation, is to create a baseline and to allow the states 
to legislate upwards if they wish. This has been done for two rea- 
sons: one, out of respect for our Federal form of government, which 
allows the states to protect the interests of their citizens if they so 
choose; also out of recognition that states may be able to experi- 
ment in different legislative approaches, come up with options that 
may not have been developed in Washington or maybe not even by 
some of the other states that turn out over time to be more effec- 
tive. 

Federal preemption would effectively prevent the states from in- 
novating in the privacy area, and I think this would be a mistake. 
My other argument against Federal preemption concerns the prac- 
tical problems that consumers face today in the online environ- 
ment. It is true that in the absence of Federal preemption, some 
businesses may face 50 different state laws that they would have 
to comply with, but let’s consider now what consumers today on the 
Internet face when they surf hundreds or possibly thousands of 
web sites in the course of a few weeks or a few months. 

Every one of those web sites could have a different privacy pol- 
icy, and every time a consumer goes from one web site to the next, 
that person would effectively have to evaluate the adequacy of that 
privacy protection. I think the goal in this area has to be to estab- 
lish fair and effective privacy legislation. I think it will be good for 
consumers, good for businesses, and I thank you again for the op- 
portunity to appear this morning. 

The Chairman. Thank you very much. 

[The prepared statement of Mr. Rotenberg follows:] 



14 


Prepared Statement of Marc Rotenberg, Executive Director, 
Electronic Privacy Information Center 

My name is Marc Rotenberg. I am Executive Director of the Electronic Privacy 
Information Center (EPIC) in Washington. I have taught the Law of Information 
Privacy at Georgetown University Law Center since 1990. I am the editor of two 
books on privacy and have participated in many of the public campaigns over the 
past decade to safeguard privacy rights in the United States. 

I’d like to thank the Committee for holding this hearing today and also for the 
hearings that were held during the past Congress to address public concerns about 
privacy. This is an enormously important issue of interest to a great many Ameri- 
cans. Simply stated, there is a widespread concern that in order to enjoy the bene- 
fits of information technology we will be forced to sacrifice personal privacy. The 
central challenge is how best promote the benefits of new technology and to preserve 
right of privacy and personal autonomy. 

I believe that there are two questions before the Committee today. The first is 
whether legislation is necessary to protect privacy on the Internet. The second, if 
you agree that legislation is appropriate, is what are the key elements of a good 
privacy measure. I will focus my remarks on these two issues. 

1. the need for privacy legislation 


а. Legal Tradition 

Legal tradition in the United States clearly shows that laws will be established 
to safeguard the right of privacy when new electronic services are provided. This 
was true in 1934 when the Congress adopted provision 605 of the Communications 
Act to ensure the privacy of communications sent by telephone and in 1999 when 
Congress passed the Wireless Communications and Public Safety Act to safeguard 
the privacy of location data in advanced network services. 

With virtually every new technology that involved the collection of personal con- 
sumer information — from Cable television and video rentals to electronic mail and 
automated medical information — Congress has passed laws to safeguard privacy. It 
has established clear responsibilities for companies that collect personal information 
and has created rights backed up with legal sanctions for individuals who disclose 
information in the course of a commercial transaction. 

These laws have promoted best business practices, promoted public confidence, 
and limited the misuse of personal information in the new electronic environments. 
In other words, these laws have encouraged public adoption of new services to the 
benefit of both consumers and businesses. 

Some have said that there should not be different rules for the online world and 
the offline world, but there are two answers to this point. First, online commerce 
simply is different. Cookies, web bugs, online profiling and Spyware are all uniquely 
associated with the architecture of the interactive digital environment. Publishers 
in the print and broadcast media simply do not have the ability to collect personally 
identifiable information without the actual consent or participation of their cus- 
tomers. A newspaper advertiser does not know who was reading an ad. 

But today with the Internet, advertisers do have the ability to track individuals. 
Techniques are available to profile individual preferences, oftentimes without the 
knowledge or consent of the profiled person. It is because of the very specific capa- 
bility of the online environment to collect and record personal information that legis- 
lation is appropriate. And it is consistent with the tradition of US privacy law that 
such legislation be adopted. 

б. Technology and Legislation Work Together 

Key to the adoption of privacy legislation is that lawmaking and technological in- 
novation can work together. Groups, such as EPIC, that favor privacy legislation 
have also worked to encourage the development of technical standards that allow 
Internet users to safeguard their data and protect their identity. One of the most 
popular features on our web site is the Practical Privacy Tools page which allows 
Internet users to surf anonymously, delete cookies, encrypt private messages, erase 
files, and filter ads. 

We recognize that there are a range of technical and legal approaches that will 
help safeguard privacy. But we also believe that in the absence of a statutory frame- 
work, a type of privacy survivalism could easily result. Without consumer trust in 
new services, each person will be forced to adopt elaborate defensive measures to 
protect privacy in the most routine commercial transaction. Such an outcome could 
not be beneficial for the long-term growth of electronic commerce. 



15 


c. Public Opinion 

There are very few issues today in which Americans have expressed a clearer 
opinion than on the issue of privacy. In poll after poll, the public has made clear 
that it is concerned about the loss of personal privacy and that it believes it is ap- 
propriate and necessary for the government to act. Large majorities are found in 
both political parties. 

According to the Pew Internet and American Life Project, 86% of Internet users 
favor opt-in privacy policies. According to Business Week, three times as many 
Americans believe the government should pass laws now to safeguard online privacy 
as those who believe self-regulation is sufficient. According to Forrester Research, 
90% of Americans want the ability to control the collection and use of their data. 
The Pew survey also found that more than 90% of Internet users thought companies 
should be punished when they violate their own privacy policies. 

In a recent Gallup Poll, 66% of email users said that the Federal government 
should pass laws to protect citizens’ privacy online. Most remarkable is that the 
Gallup organization found that support for legislation increased as the level of expe- 
rience increased. Frequent Internet users — those who spend 15 hours or more online 
each week — are more likely to favor the passage of new laws (75%) than are infre- 
quent users (63%). This finding is contrary to some of the earlier industry-funded 
polls that attempted to suggest support for legislation would diminish as use of the 
Internet increased. 

The message here is clear: experienced Internet users understand the limitations 
of technical solutions and industry self-regulation. They want legal control over 
their personal information. 

d. Experience with Self-Regulation 

The argument for legislation is also made clear by the failure of self-regulation 
to safeguard online privacy and promote public confidence in network services. Pub- 
lic concern about the loss of privacy has grown almost in direct proportion to the 
self-regulatory programs. In many respects, this is not surprising. These programs 
encourage the posting of privacy notices, which have come to be called privacy warn- 
ing labels that provide little actual assurance of privacy protection. If you go to a 
website and read a privacy policy, you will see quickly that these policies simply 
state the many purposes to which the information collected will be used. Few pri- 
vacy policies make any meaningful attempt to limit the use or disclosure of data 
obtained. 

Technical problems are also arising with self-regulatory initiatives. How do you 
provide a privacy notice to a person who tries to access a web site from a cell phone, 
a commercial application that may become increasingly popular in the years ahead? 
One solution now under consideration is to create special symbols that could be 
viewed on the cell phone display. Another privacy scheme sets out a confusing array 
of privacy choices that will likely exclude many people from commercial web sites 
where privacy rules could otherwise provide uniform protection. 

Problems with self-regulation can also be found in certain market segments where 
industry has been left free to design its own privacy policies rather than to rely on 
better established legal frameworks. For example, the Network Advertising Initia- 
tive proposal sanctioned by the FTC allows Internet advertisers to continue to pro- 
file Internet users, based on only the availability of an opt-out opportunity. This is 
contrary to the general approach in other areas which establish legal obligations for 
those who create profiles on known individuals. Even more surprising is that to ex- 
ercise a right to opt-out of routine tracking, Internet users must maintain on their 
computers a cookie from the company that would otherwise track them! 

e. Government Searches 

Many who oppose legislation for online privacy say they want to keep government 
off the Internet. But one practical consequence of failing to pass privacy legislation 
is that without legislation there is no protection for personal information held by 
third parties from government searches. Government agents are free to go to Micro- 
soft, Yahoo, Amazon, or any company in possession of personal data without a war- 
rant and obtain the data on these companies’ customers whether or not it is directly 
relevant to a particular investigation. This is contrary to the approach that has been 
established for other new electronic services as well as the treatment of sensitive 
information in the offline world. It also demonstrates the failure of self-regulation: 
there is no procedure and no method of accountability when data is disclosed to 
third parties through legal compulsion. 



16 


f. The International Dimension 

The need for privacy legislation is demonstrated also by the demands of global 
commerce which now allows consumers around the world to buy and sell products 
online. This is a very promising development but also raises substantial concerns 
about the protection of the personal information that flows across the network. 
Many governments have taken steps to develop privacy laws to safeguard consumer 
interests. 

Although the US has not yet adopted legislation that might be considered ade- 
quate for purposes of the European Union Data Directive, the Safe Harbor Arrange- 
ment does offer a possible intermediate step that will provide some assurance of pri- 
vacy protection for European consumers doing business with US firms. Moreover, 
US firms have realized that in adopting these standards for their relations with cus- 
tomers in Europe, it is now sensible to provide similar protections for customers in 
the United States. 

Privacy legislation will help carry forward this process by encouraging firms to 
adopt standards for privacy protection that will be recognized in countries around 
the world. Establishing these privacy rules for the online marketplace will be crit- 
ical for the continued growth of global commerce. 

g. Emerging Challenges 

Much of the privacy work of this Committee has focused on issues associated with 
the Internet. But there are new challenges ahead. A report from the Center for Dig- 
ital Democracy makes clear that the televisions in homes that allow us to look out 
on the world will increasingly be looking back at us. Cameras in public places raise 
new challenges for local communities. Even the tracking of rental cars by GPS has 
provoked public concern. 

I do not think Congress today can anticipate all of the new privacy challenges 
that will arise. But the passage of legislation to protect online privacy will carry for- 
ward an important tradition, strengthen public confidence, and provide the basis for 
future legislative efforts. 

2. THE NEED FOR GOOD INTERNET PRIVACY LEGISLATION 

If the case is made for legislation to safeguard the rights of Internet users, then 
the next question is how best to draft the bill. Previous legislation enacted by Con- 
gress provides a blueprint for legislation in this area. These laws reflect a reasoned 
consideration of the key elements for privacy protection in a wide range of areas. 
They have also helped enforce best practices within industry segments, promote 
public confidence in new services, and minimize that risk that information will be 
used improperly. 

а. Openness and Accountability 

The first requirement of a good privacy law is that organizations are open about 
their data collection practices and accountable to those whose information they 
gather. This is not simple a matter of posting a notice or a privacy policy on a web 
site. 

The most effective way to ensure openness and accountability is to give the indi- 
vidual the right to inspect the data collected, ensure its accuracy and understand 
it use. This principle goes back to the Privacy Act of 1974 which grants every citizen 
the right to access and correct records maintained by Federal agencies, 5 USC 
§ 552a(d)(l-4), and to the Fair Credit Reporting Act of 1970 which gives consumers 
the right to access their credit reports maintained by credit reporting agencies. 15 
USC § 1681g(a). 

This approach has been carried forward in privacy legislation developed for new 
electronic services. The privacy provisions in the Cable Act of 1984, for example, es- 
tablish the right for cable subscribers to “access all personally identifiable informa- 
tion regarding the subscriber collected and maintained by a cable operator.” 47 USC 
§ 551(d). The Children’s Online Privacy Protection of 1999 allows parents to obtain 
records of information collected on their children and request that certain informa- 
tion be removed. 15 USC § 6502(b)(l)(B)(i),(ii). 

The right to access information about oneself held by others in the context of a 
commercial relationship is one of the key elements of effective consumer privacy leg- 
islation. 

б. Meaningful Consent 

Privacy law makes clear that consent must be meaningful and that this often re- 
quires prior express consent. For example, the Video Privacy Protection Act states 
that disclosure of personally identifiable information, such as the title or description 
of tapes rented, requires “informed, written consent of the consumer given at the 



17 


time the time the disclosure is sought.” 18 USC § 2710(h)(2)(B). The privacy provi- 
sion in the Cable Act requires “prior written or electronic consent” before a cable 
operator may collect any personally identifiable information that is not necessary to 
provide the cable service or detect unauthorized interception of cable communica- 
tions. 47 USC §551. 

One of the reasons that privacy advocates and experts favor the opt-in approach 
is that it follows the common sense understanding of consent. If you look up the 
dictionary definition for consent, you will likely see “permission,” “approval,” or “as- 
sent.” All of these terms imply an overt act, not a failure to act. This is the approach 
typically followed in privacy statutes. 

c. Private Right of Action 

Privacy laws have also typically included a private right of action that has em- 
powered individuals and made it possible to hold accountable those who misuse the 
personal information in their possession. In crafting the liability provisions in pri- 
vacy statutes. Congress has wisely incorporated a liquidated damages provision that 
provides a specific dollar figure for violations of the law. This is necessary because 
it is often difficult to assign a specific economic value to privacy harm. 

The Cable Act, for example, allows for a civil action and the recovery of actual 
damages not less than liquidated damages of $100 per for violation or $1,000, 
whichever is higher. 47 USC § 551(f). The Video Privacy Protection Act specifies liq- 
uidated damages of $2,500. 18 USC § 2710(c)(2). The Telephone Consumer Protec- 
tion Act allows individuals who receive unsolicited telemarketing calls to recover ac- 
tual monetary loss for such violation or up to $500 in damages. 47 USC § 227(c)(5). 

These awards are hardly exorbitant. But they do help ensure that the rights es- 
tablished by Congress will be backed up with remedies. In the absence of a private 
right of action, there is a very real risk that there will be little incentive for compa- 
nies to comply with privacy standards. 

d. Federal Baseline 

Privacy laws enacted by Congress have typically not preempted state privacy 
laws. This is partly out of respect for our Federal form of government that grants 
states authority to safeguard the rights of their citizens, and also out of recognition 
that states frequently innovate in areas of emerging privacy protection. The bill to 
address genetic privacy, for example, which has now received bipartisan support, 
came about in part through a process of trial and error in state legislatures. Similar 
experimentation in the best ways to address video surveillance is currently under- 
way. 

In the Cable Act, states and franchising authorities may take further steps to 
enact and enforce laws for the “protection of subscriber privacy.” 47 USC § 551(g). 
The Video Privacy Protection Act will “preempt only the provisions of State or local 
law that requires disclosure” otherwise prohibited by the section. 18 USC § 2710(f). 
Even the Telephone Consumer Protection Act left the state Attorneys General free 
to bring actions under the Federal statute and made clear that nothing in that law 
would “prohibit an authorized state official from proceeding in State court on the 
basis of alleged violation of any general civil or criminal statute of such State.” 47 
USC § 227(f)(6). 

e. Cable Act as Model 

Mr. Chairman, almost twenty years ago you introduced legislation to safeguard 
the privacy rights of users of new interactive cable services. Similar legislation was 
introduced at that time by Senator Barry Goldwater and by Senator Howard Baker. 
There was no question at that time that in the interactive environment associated 
with cable television services in the early 1980s significant privacy issues would 
arise. Customers would bank online, cast votes online, and express their political 
opinions. Congress wisely established privacy rules to safeguard the collection and 
use of personal information in that emerging communications environment. The pri- 
vacy provisions in the Cable Act, although filling only a few pages, provide just 
about the most extensive protection of privacy to be found in US law. 47 USC §551. 
Under that law, every consumer in the United States who subscribes to a cable tele- 
vision service receives certain basic privacy rights. 

Cable providers must provide written notice to subscribers of their privacy rights 
at the time they first subscribe to the cable service and, thereafter, at least once 
a year. These notices must specify the kind of information that may be collected, 
how it will be used, to whom and how often it may be disclosed, how long it will 
be stored, how a subscriber may access this information and the liability imposed 
by the Act on providers. 

Subject to limited exceptions, the Act requires cable service providers to obtain 
the prior written or electronic consent of the cable subscriber before collecting or dis- 



18 


closing personally identifiable information. The Act grants cable subscribers the 
right to access the data collected about them and to correct any errors. It also pro- 
vides for the destruction of personally identifiable information if that information 
is no longer necessary. There is a clear Fourth Amendment standard that limits the 
circumstances under which government may gain access to our private viewing 
records. Finally, the law sets out a private right of action including actual and puni- 
tive damages, attorney’s fees and litigation costs for violations of any of its provi- 
sions. State and local cable privacy laws are not preempted by the Act. 

The privacy provisions in the Cable Act of 1984 make clear that Congress can 
pass sensible, workable and effective legislation for new interactive environments. 
It has done so on a bipartisan basis and those provisions have stood the test of time. 

f. Consequences of Weak Legislation 

It is conceivable that Congress would adopt a weak “notice and choice” privacy 
law that provides few substantive rights, preempts state law, and lacks a method 
of meaningful enforcement. Such a measure would likely produce the backlash that 
has resulted from the weak privacy provisions in the Financial Services Moderniza- 
tion Act. The warning notices mandated by that law have simply raised public 
awareness of the widespread sharing of personal information and the difficulty in 
protecting privacy under the opt-out approach. This approach fails to establish ac- 
tual safeguards for personal data when it is collected. 

The better approach is the one favored by forward-looking businesses and the one 
traditionally followed in privacy law: those who wish to make use of personal infor- 
mation have the affirmative responsibility to obtain meaningful consent, rights to 
access personal information held by others should be established, and methods for 
meaningful oversight should be established. 

CONCLUSION 

Mr. Chairman, Members of the Committee, the time has come to make clear that 
the right of privacy does not end where the Internet begins. There is now the chance 
to establish law that will allow users to enjoy the benefits of innovation and to pre- 
serve cherished values. We have the opportunity to carry forward an American tra- 
dition that has marched side by side with the advancement of new technology. But 
we may not have this opportunity for long. In the absence of clear legal standards, 
we could easily drift into a world of privacy notices and warning labels, where every 
keystroke on your personal computer is quietly recorded in the database of another 
computer, then to be merged with data beyond your knowledge or control. In the 
absence of good privacy legislation, that future seems likely. 

Thank you for the opportunity to appear before the Committee. I will be pleased 
to answer your questions. 

The Chairman. Mr. Cate. 

STATEMENT OF FRED H. CATE, PROFESSOR OF LAW, 
INDIANA UNIVERSITY SCHOOL OF LAW 

Mr. Cate. Thank you, Mr. Chairman, members of the Com- 
mittee. It is a privilege to appear, and I want to offer my apprecia- 
tion for your holding this hearing. 

Given the limited time, I will address just a single issue, and this 
issue is addressed in some greater detail in my prepared state- 
ment, and that is the method by which consumer choice is manifest 
and particularly the debate between opt-in and opt-out that has oc- 
cupied this Committee in the past and is present in the bills that 
have been introduced to date. 

The problem with the discussion of consumer control — and it is 
in many ways a little dark secret that not many of us want to talk 
about publicly — is that very few people read privacy notices. In 
fact, very few people read any of the notices we are presented with 
on the Internet. We click through them. We accept the terms with- 
out reading them. For a number of reasons, we do not encounter 
these notices, whether they are sent by email or mail or other 
methods of communication. 



19 


In fact, the Post Office tells us that more than half of mail sent 
in this country, unsolicited mail, is thrown away without ever 
being opened. So when you put a privacy notice in a letter and you 
mail it out in that form, half are going to he thrown away before 
they are even seen, without ever being seen by the consumer. 

It is for this reason that we see very low opt-out rates in this 
country, but it is also for this reason that we see very low opt-in 
rates. The size of those rates, the fact that so few people respond, 
reflects, in fact, very little about what their choices are or how that 
choice is presented. It reflects instead the fact that few of us want 
to make those decisions, want to be bothered to make them, want 
to be interrupted when browsing on the Internet to make them, 
and in fact, veiy few people do make those decisions. 

So the question for Congress, it would seem, is what to do about 
online privacy in an environment in which people are most likely 
to ignore and not act on the notices that will be required or that 
are being voluntarily provided. 

Under opt-out, when a consumer fails to respond, the service can 
continue to be provided, the information can continue to be used, 
and the consumer has the option, if he or she wishes, if he or she 
is worried about privacy, to opt out either then or at any time in 
the future. 

Under opt-in, if the consumer either does not see the notice or 
does not respond to it, then the service, if use of the information 
is a condition of the service, cannot be provided. The service is ter- 
minated at that point. 

I found myself facing a good example of this this weekend as I 
was downloading software from the Internet, and I was presented 
not only with an intellectual property agreement, which I did not 
read; I just clicked on “Accept”, but then for the first time in my 
experience, with a privacy agreement, which I was forced to page 
through. I had to check on each individual page that I had read 
it, and when I reached the end of it, I clicked on “I don’t accept”, 
at which point the installer closed, because my only choice at that 
point was to accept or not to receive the service. 

If you want your own practical experience for what this is like, 
you might try setting your browser so that it will ask before it ac- 
cepts cookies. Most of the people who have tried this — and this is 
often, I believe, testified to before this and other Committees — find 
that after being interrupted 10 or 12 times asking, “Will you accept 
a cookie?”, they set the default to “Accept all cookies.” That is opt- 
in in its clearest form, and it drives consumers to accept every- 
thing. 

Interestingly, if you set your browser to say, “No, I will not ac- 
cept cookies”, you are then driven off of many sites which you 
might otherwise desire to use. 

Now, this is dealing with opt-in and the situation in which infor- 
mation is first being provided. We also must consider the situation 
of subsequent use of information or use of that information by a 
third party. Under opt-in, a notice must be sent out, presumably 
by email or mail or telephone call. But, again, we know historically 
a majority of those notices will be ignored, and therefore, opt-in re- 
sults in a de facto no-information use rule with a dramatic effect 
on innovation, on competition, on the ability to provide new serv- 



20 


ices because of the simple inability to even get the consumer to 
focus on the choice. 

Moreover, this is where the real cost to consumers — and that is 
the only cost I am worried about today — that is where the real cost 
to consumers is felt, by those multiple contacts, by more email not 
less, by the increased price of services because of having to include 
the cost of reaching the consumer who is trying to hard not to be 
reached. 

It is for this reason that opt-in, even though we think of it as 
a consent mechanism, often creates only the illusion of consent, not 
the reality, simply the appearance. We can all feel better that we 
know consumers are having a chance to opt in or not opt in, but 
in reality, consumers don’t have that chance, because they must 
opt in to get the service, the information is necessary to provide the 
service, or because we miss the notice altogether. We simply never 
have the opportunity. 

Now, the Chairman mentioned the situation in Europe earlier, 
and I believe that this, what I have just testified to, in fact, reflects 
what we see in Europe, which is very little, in fact, virtually no en- 
forcement of the opt-in provisions, especially online. In fact, privacy 
scholar Amitai Etzioni has written — and I quote: 

“It seems that this EU directive is one of those laws that is enacted to keep 
one group, privacy advocates and their followers, happy, and as a rule is not 
enforced, so that commerce and life can continue.” 

A study this past January by Consumers International bears out 
this result. After studying the most popular web sites in the United 
States and Europe, the study found that although they collected in- 
formation at nearly comparable rates, U.S. web sites provided bet- 
ter privacy protection despite having no legal obligation to do so 
than European sites. In fact, the authors of the study wrote — and, 
again, I quote: “U.S. -based sites tended to set the standard for de- 
cent privacy policies.” 

Finally, let me just note in closing opt-in poses significant First 
Amendment issues, precisely because of the burden that it places 
on speech, on communication. The Supreme Court has struck down 
many ordinances that would have required affirmative consent be- 
fore receiving door-to-door solicitations, communist literature, even 
patently offensive cable programming. It seems highly unlikely 
that the Court would uphold the law requiring affirmative consent 
before permitting the collection and use of basic and true personal 
information. Thank you, Mr. Chairman. 

[The prepared statement of Mr. Cate follows:] 

Prepared Statement of Fred H. Cate, Professor of Law, 

Indiana University School of Law 

Mr. Chairman: My name is Fred Cate, and I am a professor of law and director 
of the Information Law and Commerce Institute at the Indiana University School 
of Law in Bloomington, and Global Information Policy Advisor to the law firm of 
Hunton & Williams. For the past 12 years, I have researched, written, and taught 
about information laws issues generally, and privacy law issues specifically. I di- 
rected the Electronic Information Privacy and Commerce Study for the Brook ings 
Institution, served as a member of the Federal Trade Commission’s Advisory Com- 
mittee on Online Access and Security, and currently am a visiting fellow, addressing 
privacy issues, at the American Enterprise Institute. 

I appreciate the opportunity to testify today. I would like to take advantage of 
the presence of my distinguished colleagues on this panel and limit my testimony 



21 


to two points: the ways in which requiring consumer “consent” for information col- 
lection and use burdens consumers and creates costs, and the extent to which re- 
quiring opt-in exacerbates, rather than ameliorates, the harmful impact of many 
privacy laws. 


THE TRANSFORMATION OF PRIVACY LAW 

Historically, U.S. privacy law focused on two broad themes. The first and most 
visible was preventing intrusion by the government. This is the context of virtually 
all constitutional privacy rights, and it reflects the reality that only the government 
exercises the power to compel disclosure of information and to impose civil and 
criminal penalties for noncompliance, and only the government collects and uses in- 
formation free from market competition and consumer preferences. 

The second theme reflected in U.S. privacy law throughout the last century was 
preventing uses of information that harm consumers. When privacy laws did ad- 
dress privates-sector behavior, they were designed to prevent specific, identified 
harms. So, for example, the common law privacy torts of intrusion, public disclosure, 
and false light privacy all require that the conduct complained of be “highly offen- 
sive to a reasonable person,” i and the information disclosed must either be false^ 
or “unreasonably place[] the other in a false light before the public.”^ Similarly, the 
Fair Credit Reporting Act, one of earliest privacy laws applicable to the private-sec- 
tor, focuses primarily on correcting inaccuracies and assuring that credit informa- 
tion is not used in ways likely to harm consumers.'^ 

Increasingly, however, the dominant trend in recent and pending privacy legisla- 
tion is to invest consumers with near absolute control over information in the mar- 
ketplace — irrespective of whether the information is, or could be, used to cause 
harm. Public officials and privacy advocates argue that “we must assure consumers 
that they have full control over their personal information” ® and that privacy is “an 
issue that will not go away until every single American has the right to control how 
their personal information is or isn’t used.” ® The National Association of Attorneys 
General’s December 2000 draft statement on Privacy Principles and Background 
sets forth as its core principle: “Put simply, consumers should have the right to 
know and control what data is being collected about them and how it is being used, 
whether it is offline or online.”'^ And virtually all of the privacy bills pending before 
Congress reflect this goal: “To strengthen control by consumers” and “to provide 
greater individual control.”^ 

This dramatic expansion from focusing on information privacy only in the contexts 
of government collection and harmful use, to regulating all personal information in 
the marketplace, poses many issues. Two of the most important involve the capacity 
and desire of most individuals to exercise control over information about them, and 
the impact of the legal means by which they seek to do so. 

THE LIMITS OF CONTROL 

The problem is that most consumers, in practice, don’t want to exercise that con- 
trol over the information we disclose and generate. We don’t want to take the time 
to make those decisions, we often lack the knowledge or experience to understand 
the decisions we are being asked to make, we rarely want to be held responsible 
for the consequences of our decisions (especially since we seldom understand them), 
and, most significantly, we consider the interruption of being asked a nuisance and, 
as a result, we resent it. This is especially true on the Internet, where speed and 
convenience are most highly valued. 

In practice, consumers ignore virtually all privacy notices and authorizations. The 
U.S. Post Office reports that 52 percent of unsolicited mail in this country is dis- 
carded without ever being read.® This is especially true online. Unsolicited e-mail, 
even when sent by a company with which the recipient has a relationship, is not 
opened at about the same rate, privacy policies are widely ignored, and pop-up 
screens with terms and conditions are simply clicked through without ever being 
read. The chief privacy officer of Excite@Home told a Federal Trade Commission 
workshop on profiling that the day after 60 Minutes featured his company in a seg- 
ment on Internet privacy, only 100 out of 20 million unique visitors accessed that 
company’s privacy pages, i® 

All of the available data on consumers opting out or opting in reflects this. Exten- 
sive experience with company-specific and industry-wide opt-out lists, and the re- 
cent experience of financial services companies providing opt-out opportunities in 
compliance with the privacy provisions of the 1999 Gramm-Leach-Bliley Financial 
Services Modernization Act, demonstrate that less than 10 percent of the U.S. popu- 
lation ever opts out of a mailing list — often the figure is less than 3 percent.^i Pri- 
vacy advocates often point to these figures as evidence that opt-out doesn’t work. 



22 


However, opt-in rates are virtually identical if not lower. In fact, two major U.S. 
companies recently tested the response rates to opt-in and opt-out, by sending e- 
mail messages describing the same use of personal information to statistically simi- 
lar subsets of their respective customer bases. One e-mail said that the information 
would be used unless the customer opted out. The other said the information would 
not be used unless the customer opted in. In both tests, the response rates were the 
same for both sets of messages: customers did not respond to either. 

THE OPT-OUT-OPT-IN COMPARISON 

The question then for Congress, as you consider the need for any new online pri- 
vacy legislation and the relative merits of opt-in and opt-out, is what is the impact 
of any new law on consumers, especially in light of consumers’ tendency to fail to 
respond to privacy notices of any form. Both opt-in and opt-out give consumers the 
same legal control about how their information is used; under either system, it is 
the customer alone who makes the final and binding determination about data use. 
Therefore, the real focus of your inquiry must be on the burdens and costs imposed 
by each system. 

While I and others have written and length about these issues in broad terms, 
I thought it would be most useful today to try to address these questions in the most 
specific manner possible. 

Let’s assume that Congress passes a law requiring that Web site operators pro- 
vide a privacy notice and obtain some form of consent before collecting, using, or 
disclosing personal information. What would this mean in practice? 

OPT-OUT 

If opt-out, then the notice would be provided — much like 88 percent of commercial 
Web sites (100 percent of the busiest commercial Web sites) already do voluntarily 
and have done for more than a year^^ — in whatever form and including whatever 
terms Congress or Federal regulators required. The notice would include informa- 
tion about opt-out opportunities. That small percentage of the public who is acutely 
privately sensitive and today exercises opt-out opportunities whenever presented, 
would continue to do so and, importantly, would for the first time have the legal 
right to do so. 

Most consumers, however, would continue to ignore both the notices and the opt- 
out opportunities, precisely as they do today. And, as a result of consumers not opt- 
ing out, Web sites would be free to use information for any purpose that was within 
the scope of the privacy notice and that was not specifically prohibited by other 
laws. Consumers would get the same service, benefits, opportunities, and offers that 
depend on that information. This is presumably what those consumers want, because 
if they did not, and if they felt sufficiently strongly about it, they could exercise their 
opt-out right at any time. 

Given the fast-changing nature of Internet services and technologies, it is unlikely 
that any privacy notice would cover all future uses of information. As new uses were 
developed, the Web site would be required to provide some form of prominent notice 
on the Web site or via e-mail (the precise details of how the notice must be provided 
would likely be set by Federal regulators). That notice would specify both a mean- 
ingful opportunity for consumers.to opt out and a sufficient amount of time for con- 
sumers to exercise their opt-out rights, before engaging in the new use. Again, it 
is reasonable to assume that most consumers would ignore the notice and the opt- 
out, but they would nevertheless receive whatever benefits or opportunities resulted 
from the use of their information. That is how online opt-out would work. 

OPT-IN 

If Congress’ new law required opt-in consent for data collection, use, or transfer, 
the result would be quite different. Under opt-in, Web sites could no longer provide 
their privacy notices as they currently do or as they would under mandated opt-out, 
but instead would have to force every consumer to see the notice in an effort to ob- 
tain his or her consent to collect and use personal information. Presumably, the 
same small percentage of consumers who already read notices and worry about their 
privacy would continue to read privacy notices, but now they would have to do noth- 
ing to block use of their information. The substantial majority of other consumers 
who ignore privacy policies would also likely continue to do so. 

Assuming the information was necessary to provide the service (for example, an 
address necessary to mail a book or airline ticket) or that the Web site chose to con- 
dition service on the consumer opting in, then the failure to opt in would mean no 
service. Both the minority of consumers who act on privacy policies, and the major- 
ity of the rest of us who simply ignore them, would be denied service. Our privacy 



23 


would be protected to be sure, but at the price of our not using the Internet. Con- 
sumers can obtain this type of privacy protection today — just by walking away from 
businesses whose privacy policies we disagree with — without the intervention of 
Congress. 

For a sense for what this would be like in practice, set your browser to ask before 
accepting cookies. After you have been interrupted 10 or 12 times asking for consent 
to record information that is necessary to access the requested site, you will have 
a good feeling for what opt-in is like. If you click “No,” you will be blocked from 
the Web page, so while you may have the satisfaction of being asked — again and 
again — you have no choice but to consent, unless you want to seek service else- 
where. After having our Internet browsing repeatedly interrupted by opt-in requests 
to which we must accede to proceed, most Amerieans will be asking how to opt out 
of opt-in. 

As new uses for the information were developed, the operator would have to con- 
tact every consumer individually to ask him or her to opt in to the proposed use 
of the information. When most consumers failed to respond, presumably the Web 
site operator would try again and again to gain consent, thus increasingly burdening 
the consumer with more unsolicited e-mail, telephone calls, and/or mail, and in- 
creasing the cost of providing the new service or product for which consent was 
being sought. 

We have some sense of what that cost and burden might amount to. U.S. West, 
one of the few U.S. companies to test an opt-in system, found that to obtain permis- 
sion to use information about its customer’s calling patterns (e.g., volume of calls, 
time and duration of calls, etc.) to market services to them required an average of 
4.8 calls to each customer household.before the company reached an adult who even 
could grant consent, and cost almost $30 per customer contacted.!^ Some of those 
calls went unanswered, but others reached answering machines, children, and other 
household members and visitors who were ineligible to consent. Those individuals 
bore the burden resulting from the practical fact that it is much harder for busi- 
nesses to contact consumers than for consumers to contact businesses — but this is 
precisely what opt-in requires. 

A 2000 Ernst & Young study of financial institutions representing 30 percent of 
financial services industry revenues, found that financial services companies would 
send out three to six times more direct marketing material if they could not use 
shared personal information to target their mailings, at an additional cost of about 
$1 billion per year.^'^ The study concluded that the total annual cost to consumers 
of opt-in’s restriction on existing information flows — precisely because of the dif- 
ficulty of reaching customers — was $17 billion for the companies studied, or $56 bil- 
lion if extrapolated to include the customers of all financial institutions. And those 
figures do not include the costs resulting from restricting information-flows to re- 
duce fraud, increase the availability and lower the cost of credit, provide co-branded 
credit cards and nationwide automated teller machine networks, develop future in- 
novative services and products. 

The reason for this greater cost is easy to see. Under opt-out, a business wishing 
to use information about consumers can inform all potential consumers at once — 
through policies posted on Web sites, disclosures mailed to customer addresses, and 
other efficient, cost-effective forms of communications. The business doesn’t even 
have to know specifically with whom it is attempting to communicate. 

Consumers who object to a proposed use of personal information can prevent it 
by contacting the business via a toll-free telephone number, Web site, or pre-ad- 
dressed response card. The communication can take place at virtually anytime — and 
therefore at the consumer’s convenience — and the response mechanism can serve 
other business purposes. For example, the 800-number can reach a customer service 
center that is staffed to answer a variety of customer questions and provide access 
to customer account information. The Web site can provide a wide range of informa- 
tion and services, in addition to the opportunity to opt-out. 

The comparative ease of communicating the privacy notice to the consumer, the 
flexibility of the customer being able to opt-out at his or her convenience, and the 
ability to spread the cost of handling “opt-outs” using systems that serve other func- 
tions does not mean that opt-out is without cost, but it does help to reduce those 
costs — both to consumers and businesses — significantly. 

Moreover, the burden on consumers is multiplied by the fact that all of these con- 
tacts are just to obtain permission to examine data about customers to determine 
their eligibiliiy for a product or service offering. For those individuals who are eligi- 
ble, a seeond round of contacts is necessary to actually make them to offer. It is dif- 
ficult to imagine that this opt-in system will be perceived by consumers as anything 
more than an annoyance. U.S. West’s customers displayed their annoyance at the 
intrusiveness required by opt-in. Only 28 percent opted-in when they were inter- 



24 


rupted with a call seeking consent, but 72 percent opted-in when the opportunity 
to consent was presented to the customer at the conclusion of a call that the cus- 
tomer initiated.^® 

Of course, this annoyance will be even greater for those people who do not qualify 
for the offer. For example, in the case of U.S. West, the telephone company was ask- 
ing existing customers for permission to examine information about their calling 
patterns to determine their eligibility for new service plans and discounts. However, 
not all customers who consented actually qualified for the new service or discount. 
The burden and cost of contacting those customers who did not qualify were wholly 
wasted. 

Under opt-in, the Web site operator has to contact all customers seeking their in- 
dividual consent to examine data about them, even though many or most may not 
qualify for the offer. Because opt-in prevents businesses from using personal infor- 
mation to target their consent requests, it not only results in extra contacts with 
the consumers, but also exacerbates the burden of those contacts because they can- 
not be tailored to reflect consumer interests. 

These same issues are presented by efforts to attract new customers by using per- 
sonal information (such as their e-mail address) to contact them. Today, if a com- 
pany wishes to expand into a new geographic area or product line, it may seek a 
list of potential customers from a third party. Under opt-out, a third party is free 
to provide the company with such a list, provided that it excludes consumers who 
have already opted-out of receiving such communications. The company can then 
use the list to contact people with a special offer or introductory discount. After re- 
ceiving the offer, consumers are free to opt-out of receiving future offers from that 
company. The only “harm” suffered by the individual is receiving an offer in which 
he or she ultimately was not interested. 

Under opt-in, every person on that list will need to be contacted for consent. The 
company cannot contact them, because it does riot have explicit consent to make 
such a use of their names or addresses. The third party supplying the list is un- 
likely to bear the expense and inconvenience of contacting every person on the list. 
The promise of explicit consent in the opt-in requirement has resulted in nothing 
to consent to at all. 

Alternatively, depending upon the specific requirements of the opt-in law, the new 
service provider may be allowed to contact potential customers, but it will have to 
do so twice: once to gain consent to make the second contact conveying the offer. 
Moreover, since most requests for consent are ignored, the most likely effect on an 
opt-in law is to prevent contacting potential customers entirely. This is why Robert 
E. Litan, Director of the Economic Studies Program and Vice President of The 
Brookings Institution, has written that switching from an opt-out system to an opt- 
in system would “raise barriers to entry by smaller, and often more innovative, 
firms and organizations.” 

OPT-IN AND THE ILLUSION OF CONSENT 

Because of the inherent difficulty of businesses contacting consumers individually, 
many consumers may miss out on opportunities that they would value, not because 
they chose not to receive them, but because they never had the opportunity to 
choose. In one-third of households called by U.S. West, for example, the company 
never reached the customer, despite repeated attempts. Consequently, those cus- 
tomers were denied the opportunity to receive information about new products and 
services. This is a very practical example of the way in which an opt-in system 
may only create the illusion of consent. 

We have already seen the extent to which consumers ignore requests for consent. 
Moreover, even when mail is actually read and the offer appeals to the consumer, 
lethargy and the competing demands of busy lives often conspire to ensure that no 
action is taken. Only 6-11 percent of customers in the U.S. West opt-in test re- 
sponded to written opt-in requests, even though more than four times that num- 
ber — 28 percent — indicated that they desired the service when called about it, and, 
as noted, 72 percent ordered the service when asked during a phone call that the 
customer initiated, This suggests that the issue isn’t privacy or the attractiveness 
of the request, hut rather the annoyance to consumers of being interrupted with re- 
quests for consent — precisely what an opt-in law contemplates. 

The opportunity to consent may also be illusory because the business wishing to 
use the information has no affordable way of reaching consumers individually. If the 
cost of obtaining consent is too ^eat to make the proposed use of information eco- 
nomically feasible, then there will be nothing to which the consumer can consent. 

If opt-in means that lists of potential customers are no longer available from third 
parties, then, as we have seen, the promise of explicit consent in the opt-in require- 



25 


ment will likely result in nothing to consent to at all. Consider the example of AOL 
Time Warner. As a startup company, AOL mailed free copies of its software to peo- 
ple likely to be interested in Internet access. Prohibiting the fledgling AOL access 
to information about consumer addresses and computer ownership would have de- 
nied consumers information about an opportunity that many of them obviously 
value, increased the volume of marketing material that AOL would have been re- 
quired to distribute, and threatened the financial viability of a valuable, innovative 
service. 

The opportunity for consent under an opt-in system may also be illusory because 
of the difficulty of building new data systems, and implementing new uses of data, 
one customer at a time. For example, highly valued services, such as consolidated 
statements and customer service, could not exist if consumers were given the choice 
about the sharing of information about their accounts, because few businesses could 
realistically provide both consolidated and nonconsolidated services. To do so would 
require one customer service center manned by one set of representatives using one 
information system for customers who consented to information-sharing, and a pan- 
oply of other customer service centers manned by teams of other representatives 
using a variety of other information systems each covering only a single aspect of 
a customer’s account for those customers who did not consent. This is an area where 
there is no room for consumer choice — opt-in or opt-out: Service must either be pro- 
vided on a consolidated basis for all (which is the choice of most consumers) or for 
none (in which cases all customers must endure the added cost and inconvenience 
of separate statements and service centers). 

Finally, as noted, the opportunity for consent is always illusory if the service or 
product cannot or will not be provided without personal information. I experienced 
a very practical example of this just this past weekend. When downloading software, 
I was presented with a pop-up privacy policy. I could not continue installing the 
software I wanted without providing the information requested — the site needed to 
know certain information about my system to know which software to send and how 
to configure it — and without clicking on the “I accept” button. The presence of that 
policy was a small burden and annoyance, but yielded no benefit. The opportunity 
to opt in meant nothing — was wholly illusory — because consent was a condition of 
service. A law requiring opt-in consent in that situation would have merely in- 
creased the cost and burden of formally verifying and recording the consent that I 
had already manifest by my behavior, to use information without which the re- 
quested service could not have been provided. 

THE LESSON FROM EUROPE 

A number of legislators and privacy advocates have argued that since the use of 
personal information in Europe is conditioned on opt-in consent, the burdens and 
costs of opt-in must not be as great as research and experience have suggested. This 
argument is fundamentally flawed, as we are learning. 

While it is true that European nations are required under the European Union 
data protection directive, which took effect in 1998, to condition the collection, use, 
or transfer of personal information on explicit opt-in consent,^® there is little evi- 
dence that any have, in fact, done so. European data protection officials have repeat- 
edly pointed out the impossibility of doing so. Instead, Europe has used a concept 
of “implied explicit consent” — if individuals are told of the intended data collection 
or use and do not object, then surely, European data protection officials argue, they 
must have opted-in. There is nothing to distinguish this from opt-out. Privacy schol- 
ar Amitai Etzioni has noted that European citizens rarely, if ever, are asked for ex- 
plicit permission to use personal information about them. In fact, he tells of regu- 
larly asking his European audiences if anyone has ever been asked to opt-in. To 
date, Etzioni reports only one positive response-from a man who was asked for opt- 
in consent by Amazon.com, a U.S. company.^i “It seems that this EU directive is 
one of those laws that is enacted to keep one group — privacy advocates and their 
followers — happy and, as a rule, is not enforced so that commerce and life can con- 
tinue.” 

A January 2001 study by Consumers International bears out Etzioni’s conclusion. 
Consumers International examined the use and protection of personal information 
on 751 retail, financial, health, and other popular Web sites in the United States 
and Europe. The study found that while U.S. and European Web sites collect per- 
sonal information at nearly comparable rates (66 percent in the United States; 63 
percent in Europe), U.S. sites provide better privacy protection, despite having no 
specific legal obligation to do so, than European sites, which are subject to com- 
prehensive legal requirements: 



26 


Despite tight EU legislation in this area, researchers did not find that sites 
based in the EU gave better information or a higher degree of choice to their 
users than sites based in the US. Indeed, US-based sites tended to set ‘the stand- 
ard for decent privacy policies.^^ 

Ironically, not only have more restrictive laws failed to provide a higher standard 
of privacy protection, they have also failed to quell consumer fears. Polls on con- 
sumer privacy concerns show nearly identical results in the United States and Eu- 
rope, despite wide differences between laws. Eor example, Lou Harris & Associates 
found in 1999 that 80 percent of U.S. consumers and 79 percent of German con- 
sumers surveyed agreed with the statement “consumers have lost all control over 
how personal information is collected and used by companies.” Similarly, 71 per- 
cent of the U.S. sample and 70 percent oO of the German sample agreed that “it 
is impossible to protect consumer privacy in the computer age.” In fact, despite 
the far greater legal protections for privacy available in Europe, Americans (64 per- 
cent) were more likely than Germans (55 percent) or British (58 percent) respond- 
ents to believe that businesses will handle personal information in a “proper and 
confidential way.”^® However, Americans (29 percent) proved no more likely than 
Germans (28 percent) and only slightly more likely than the British (23 percent) to 
say they personally have been a victim of what they, felt was an improper invasion 
of privacy by a business.^^ 

OPT-IN AND THE FIRST AMENDMENT 

Opt-in also poses significant constitutional issues under the First Amendment. 
The Supreme Court has struck down many ordinances that would require affirma- 
tive consent before receiving door-to-door solicitations,^® before receiving Communist 
literature,^® even before receiving “patently offensive” cable programming.®® The 
Court’s opinion in the 1943 case of Martin v. Struthers — involving a local ordinance 
that banned door-to-door solicitations without explicit (opt-in) householder consent — 
is particularly apt: 

Whether such visiting shall be permitted has in general been deemed to de- 
pend upon the will of the individual master of each household, and not upon 
the determination of the community. In the instant case, the city of Struthers, 
Ohio, has attempted to make this decision for all its inhabitants.®^ 

The only Federal court to review a modern opt-in requirement concluded that it 
violated the First Amendment. In 1999, the U.S. Court of Appeals for the Tenth Cir- 
cuit in U.S. West, Inc. v. Federal Communications Commission, struck down the 
Commission’s rules requiring that telephone companies obtain explicit consent from 
their customers before using data about those customers’ calling patterns to market 
products or services to them.®^ The court found that the FCC’s rules, by limiting 
the use of personal information when communicating with customers, restricted 
U.S. West’s speech and therefore were subject to First Amendment review. The 
court determined that under the First Amendment, the rules were presumptively 
unconstitutional unless the FCC could prove otherwise by demonstrating that the 
rules were necessary to prevent a “specific and significant harm” on individuals, and 
that the rules were ‘“no more extensive than necessary to serve [the stated] inter- 
ests.”’®® 

Although we may feel uncomfortable knowing that our personal information 
is circulating in the world, we live in an open society where information may 
usually pass freely. A general level of discomfort from knowing that people can 
readily access information about us does not necessarily rise to the level of sub- 
stantial State interest under Central Hudson [the test applicable to commercial 
speech] for it is’not based on an identified harm.®‘‘ 

The court found that for the Commission to demonstrate that the opt-in rules 
were sufficiently narrowly tailored, it must prove that less restrictive opt-out rules 
would not offer sufficient privacy protection: 

Even assuming that telecommunications customers value the privacy of [in- 
formation about their use of the telephone], the FCC record does not adequately 
show that an opt-out strategy would not sufficiently protect customer privacy. 
The respondents merely speculate that there are a substantial number of indi- 
viduals who feel strongly about their privacy, yet would not bother to opt-out 
if given notice and the opportunity to do so. Such speculation hardly reflects the 
careful calculation of costs and benefits that our commercial speech, jurispru- 
dence requires.^^ 

The court found that the FCC had failed to show why more burdensome opt-in 
rules were necessary, and therefore struck down the rules as unconstitutional. The 
Supreme Court declined to review the case.®® 



27 


The Tenth Circuit’s opinion in U.S. West is particularly applicable to the current 
debate over opt-out and opt-in because it reaffirms what the Supreme Court had 
previously indicated: that opt-in is more burdensome than opt-out, and that, as a 
result, for the government to adopt opt-in rules, it must first demonstrate that opt- 
out is not adequate. 


CONCLUSION 


The Role of Opt-In 

Opt-in has its place. For example, Congress wisely required the explicit consent 
of parents before Web sites collected information from very young children.^^ Infor- 
mation that is particularly sensitive or particularly likely to be misused to harm the 
individual might also be subjected to opt-in consent. And some companies online 
today voluntarily use opt-in in settings where it is most easily managed (such as 
online service providers, which by definition have contact with their customers every 
time they log on) or where it is necessary to ensure consumer confidence given the 
sensitivity of the relationship and information (such as certain financial and health 
sites). But in other settings, the higher costs imposed by a legally mandated opt- 
in system are unwarranted. 

This is especially true on the Internet where much of the information disclosed 
is not sensitive or likely to be used to harm the individual, but rather is a substitute 
for the very address information browsing and bu3dng habits that store clerks and 
merchants have been noting for years. Moreover, because the use of information is 
so central to customer service and convenience online, and the very attraction of the 
Internet is its speed and ease-of-use, opt-in as a legal requirement seems peculiarly 
inappropriate in the context of the Internet. 

Opt-in is unlikely to enhance privacy protection, because consumers asked to opt 
in prior to receiving service are likely to do so to receive service and to avoid the 
annoyance of being asked again. (That is why millions of us click “I accept” boxes 
without ever reading the terms to which we are agreeing.) Consumers asked to opt 
in later to new uses of information are in most settings unlikely to ever be aware 
of the request. This suggests that simply conditioning the use of personal informa- 
tion on specific consent is tantamount to either creating a hoop that Web users must 
jump through to obtain access to the information and services they desire, or, alter- 
natively, to effectively prohibiting outright many beneficial uses of information. In 
either case, opt-in acts like a tax on online commerce, compelling all consumers to 
pay for the heightened privacy concerns of a few, yet providing enhanced privacy 
to no one. 

The Role of the Government 

The fact that opt-in laws do not appear generally appropriate or necessary for pro- 
tecting privacy on the Internet, does not mean that there is no role for the govern- 
ment or for law in protecting privacy online. Far from it. 

Regulators and law enforcement officials should enforce existing privacy laws vig- 
orously, and legislators should ensure that they have the resources to do so. This 
is especially important in the context of the Internet, where disparate jurisdictions 
and laws can make enforcing existing laws difficult for most consumers. I think it 
is especially important for the government to help ensure that Web sites adhere to 
the commitments that they make in their privacy policies — whether those policies 
are voluntary or required by law — so that individuals who do read those policies can 
rely on them with confidence. 

The government should also help educate the public about privacy and the tools 
available to every citizen to protect our own privacy. Many privacy protections can 
only be used by individuals — no one else can protect their privacy for them. This 
is especially true on Web sites, a majority of which originate in countries outside 
of the United States. The common sense steps and practical technologies that indi- 
viduals can employ to protect themselves offer better, more effective protection than 
any law. Yet few individuals will recognize the importance of their responsibility or 
have the knowledge to fulfill it without education. 

Finally, should Congress conclude that some form of new mandated consent re- 
quirement is necessary, opt-out is the less burdensome alternative and the one more 
likely to be effective. It allows people who are most concerned about their privacy 
to act to protect it — using the same legal right that they have with opt-in — without 
unduly burdening the great majority of us who are unlikely to read or act on privacy 
notices. You may wish to take steps to make privacy notices more complete and 
clear, and opt-out more effective. I advise caution, however, before substituting Con- 
gress’ judgment for that of the market. Remember, the Gramm-Leach-Bliley privacy 
notices that the press and State legislatures are so busy criticizing, were largely 



28 


written by Federal regulators. Their complexity is precisely what we should expect 
if we require those notices to comply with Federal regulations and regard them as 
creating binding contracts. Before mandating such notices online, I urge you to 
think carefully about whether there is any certain way to do better, and whether 
the cost of doing so is justified in light of the few consumers who will ever read 
them. 

Thank you again for the opportunity to testify. 

Endnotes 

1. Restatement (Second) of Torts §§652B, D-E (1976). 

2. Philadelphia Newspaper, Inc. v. Hepps, 475 U.S. 767, 777 (1986). 

3. Restatement, supra, §662E. 

4. 15 U.S.C. §1681 b(a) (1999). 

5. Enactment of the Children’s Online Privacy Protection Act, 106th Congress, 2d 
Session, 146 Cong. Rec. E616, May 2, 2000, statement of Jay Inslee (D-Wash.) (em- 
phasis added). 

6. Democrats Hold News Conference on Financial Privacy, May 4, 2000 (statement 
of John LaFalce (DN.Y.)) (emphasis added). 

7. National Association of Attorneys General, supra at 7 (emphasis added). 

8. S. 30, 107th Cong. §2 (2001); H.R. 89, 107th Cong. § 2(b)(1) (2001); H.R. 347, 
107th Cong. § 2(b)(1)(A) (2001) (emphasis added) 

9. “Briefs,” Circulation Management, May 1999 (referring to the U.S. Postal Serv- 
ice’s Household Diary Study (1997)). 

10. Federal Trade Commission, Workshop on The Information Marketplace: Merg- 
ing and Exchanging Consumer Data, Mar. 31, 2001 (comments of Ted Wham). 

11. Less than 3 percent of the U.S. population takes advantage of the Direct Mar- 
keting Association’s Mail and Telephone Preference Services. Financial Privacy, 
Hearings before the Subcomm. on Financial Institutions and Consumer Credit of the 
Comm, on Banking and Financial Services, House of Representatives, 106th Cong., 
1st Sess. (July 20, 1999) (statement of Richard A. Barton) (available at http:! ! 
www.house.govlbankingl72099rba.htm). Financial institutions, retailers, and other 
businesses report similar or lower figures for their opt-out programs. 

12. Federal Trade Commission, Privacy Online: Fair Information Practices in the 
Electronic Marketplace — A Report to Congress at 11 (2000). 

13. Brief for Petitioner and Interveners at 15-16, U.S. West, Inc. v. Federal Com- 
munications Commission, 182 F.3d 1224, 1239 (10th Cir. 1999) (No. 98-9518), cert, 
denied 528 U.S. 1188 (2000). 

14. Ernst & Young LLP, Customer Benefits from Current Information Sharing by 
Financial Services Companies 16 (Dec. 2000). 

15. Id. 

16. U.S. West, Inc. v. Federal Communications Commission, 182 F.3d 1224, 1239 
(10th Cir. 1999), cert, denied 528 U.S. 1188 (2000). 

17. Robert E. Litan, Balancing Costs and Benefits of New Privacy Mandates, in 
Lucien Rapp & Fred H. Cate, European and U.S. Perspectives on Information Pri- 
vacy (forthcoming). 

18. Brief for Petitioner and Interveners at 15-16, U.S. West, supra. 

19. U.S. West, 182 F.3d at 1239. 

20. Directive 95/46/EC of the European Parliament and of the Council on the Pro- 
tection of Individuals with Regard to the Processing of Personal Data and on the 
Free Movement of Such Data art. 7 (Eur. O.J. 95/L281). 

21. Personal communication from Amitai Etzioni to the author (Feb. 21, 2001). 

22. Amitai Etzioni, “Protecting Privacy,” Financial Times, April 9, 1999, at 18. 

23. Consumers International, Privacy@net: An International Comparative Study of 
Consumer Privacy on the Internet at 6 (2001) (emphasis added). 

24. IBM Multi-National Consumer Privacy Survey at 22 (1999). 

25. Id. 

26. Id. 

27. Id. at 14. 

28. Martin v. Struthers, 319 U.S. 141 (1943). 

29. Lamont v. Postmaster General, 381 U.S. 301 (1965). 

30. Denver Area Educational Telecommunications Consortium, Inc. v. Federal 
Communications Commission, 518 U.S. 727 (1996). 

31. Martin, 319 U.S. at 14 1. 

32. U.S. West, 182 F.3d at 1235. 

33. Id. at 1235 (quoting Rubin v. Coors Brewing Co., 514 U.S. 476, 486 (1995)). 

34. U.S. West, 182 F.3d at 1235 (emphasis added). 

35. Id. (emphasis added). 



29 


36. U.S. West Communications, Inc. v. Federal Communications Commission, 528 
U.S. 1188 (2000). 

37. Children’s Online Privacy Protection Act of 1998, Pub. L. No. 105-277, 112 
Stat. 2681-728 (codified as amended at 15 U.S.C. §6501-06 (1999)). 

The Chairman. Thank you very much. 

Just a moment, Dr. Schwartz. Senator Burns, our ranking mem- 
ber on communications has to be at the Interior Appropriations 
Subcommittee markup. 

Senator Burns, you had a statement? 

STATEMENT OF HON. CONRAD BURNS, 

U.S. SENATOR FROM MONTANA 

Senator Burns. Well, I have a statement, and I would ask unani- 
mous consent that that statement might be just entered in the 
record, Mr. Chairman. I thank you for this courtesy. And, of course. 
Senator Wyden and I will still be very much involved in this issue 
with our bill, and we look forward to working with you and the rest 
of the Committee as this legislation moves forward. And I thank 
you for the courtesy. 

The Chairman. Very much thank you. 

[The prepared statement of Senator Burns follows:] 

Prepared Statement of Hon. Conrad Burns, U.S. Senator from Montana 

Thank you, Mr. Chairman. Today’s hearing concerns a topic of crucial importance 
in today’s increasingly digital world: the protection of online privacy. 

To put it simply, Americans have no safety net of privacy online. Ever-more so- 
phisticated technologies are being developed to collect nearly limitless information 
on individuals without their knowledge. Consumers are clearly concerned at the 
“flip side” of the digital revolution. Just yesterday, the Markle Foundation released 
a landmark report on the “State of the Net” which revealed that nearly half of the 
public viewed the Internet as a “source of worry.” Foremost among their concerns 
is the lack of privacy on the Internet. A recent Gallup poll found that nearly four- 
fifths of Americans were concerned about the privacy of personal information they 
give out on the Internet. Seven in ten online shoppers were concerned about the se- 
curity of their information. In addition, two-thirds of those polled called for Federal 
legislation to protect their online privacy. 

None of these striking numbers surprise me, as I continue to hear from my 
contituents about the lack of privacy protections on the Internet. I am more con- 
vinced than ever that legislation is necessary to provide consumers with a safety 
net of privacy in the online world. 

Online privacy is central to the future economic well-being of the Internet. Despite 
the recent highly publicized flameouts of several dot-com companies, e-commerce 
has continued to grow. However, the rate of this growth is clearly being slowed by 
consumers’ rising and legitimate fears about privacy intrusion. Several studies 
pointed out that the primary reason preventing more people from making purchases 
online is the lack of privacy. While the Internet has exhibited massive growth, cur- 
rently less than 1 percent of all consumer retail spending is done online. In short, 
e-commerce still has huge upside potential, but that potential will never be fulfilled 
without basic assurances of consumer privacy. 

I would like to touch on the idea that merely posting privacy policies somehow 
ensures actual privacy for users. Many of these policies are frustrating exercises in 
legalese. It becomes obvious from wading through examples of these policies that 
most were designed with the goal of protecting companies from liability rather than 
informing and empowering consumers. In today’s hectic world, consumers simply 
don’t have either the time or the inclination to slog through confusing policies that 
span multiple pages. 

To address these concerns, in the 106th Congress, Senator Wyden and I intro- 
duced the “Online Privacy Protection Act,” which was based on our shared view that 
while self-regulation should be encouraged, we need to also provide strong enforce- 
ment mechanisms to punish bad actors. 

I am open to working with the Chairman, Sen. Wyden and all of my colleagues 
on the Committee to ensure that strong privacy legislation moves to markup and 



30 


passage by the full Senate as quickly as possible. I look forward to the testimony 
of the witnesses. Thank you. 

The Chairman. Dr. Schwartz. 

STATEMENT OF PAUL M. SCHWARTZ, PROFESSOR OF LAW, 
BROOKLYN LAW SCHOOL 

Mr. Schwartz. Thank you. I am honored to be here today to talk 
about Internet privacy with you. 

Millions of Americans now engage in daily activities on the Inter- 
net. Under current conditions, their behavior, our behavior, creates 
detailed stores of personal data. The key concept is that the Inter- 
net is an interactive telecommunications system. In other words, 
computers attached to it do not merely receive information but also 
transmit it. Visits to the Internet create data trails. 

What I would like to do today is briefly make three points. First, 
I wish to address the EU data protection directive and the U.S. 
Commerce Department’s safe harbor agreement. Second, I wish to 
talk about weaknesses in the current market for online privacy. 
Third and finally, I wish to describe the nature of the privacy 
harms to individuals in the online realm. Let me begin. 

The European data protection directive seeks to harmonize pri- 
vacy law in Europe at a high level. It also restricts transfers of in- 
formation to third-party nations that lack an adequate level of pro- 
tection. The response of the U.S. Commerce Department has been 
to draft and negotiate EU approval of safe harbor standards for 
privacy. And what does the safe harbor provide? They provide the 
fair information practices that Senator McCain alluded to in his 
opening statement: notice, choice, access, security, and enforce- 
ment. 

After a slow start for the safe harbor, more American companies 
are signing up for it. Chairman Hollings in his opening statement 
spoke of the number of leading information age companies that 
have signed on to the safe harbor. In my judgment, it speaks well 
for the business compatibility of the safe harbor that companies 
such as Intel, Hewlett-Packard, Acxiom Data and Microsoft have 
agreed to it. 

The thing to remember, though, is that the EU directive is there 
only to protect European citizens. It creates legal obligations only 
for their information. The resulting gap in protection leaves Amer- 
ican citizens entitled under law only to a lesser level of privacy pro- 
tection. 

Let me now turn to my second topic. In my view, we do not have 
a well-functioning privacy market. What would a well-functioning 
market require? It would require consumers who want to sell or ex- 
change their information to be able to bargain over the terms 
under which they disclosed their personal data. It would also re- 
quire data processors, the buyers of information, to offer different 
packages and prices for personal information. 

Currently, however, what we have on the Internet is a Hobson’s 
choice. Now, the original Hobson was an innkeeper in England in 
the 17th Century. Hobson told his customers that they were to take 
the horse closest to the stable door or they would take no horse in 
the stable. That was the original Hobson’s choice. The Hobson’s 
choice that we are now seeing is either no privacy or no Internet, 



31 


and I think this is exactly what Senator Rockefeller pointed to 
when he talked about the problems with cookies. It is, in fact, very, 
very difficult to manage cookies. 

Even beyond cookies, we have problems such as “web bugs”, also 
known as clear GIF’s and many other privacy meltdowns that are 
only a click stream away. So the emerging Hobson’s choice for 
Americans on the Internet is to sacrifice either privacy or access 
to the Internet. 

I now reach my third and final point. Let me try to describe a 
way of thinking about the kinds of harms that occur to privacy on 
the Internet. In my judgment, we have both economic and non- 
economic harms. The first economic harm is a distributional one. 
The failure in the privacy market involves a distribution away from 
consumers who care about privacy and toward data processing 
companies. In other words, we have a subsidy to data processing 
companies. They are essentially getting information, our informa- 
tion, at a below true market rate. 

The second problem is weblining. Weblining is an emerging prac- 
tice on the Internet which is similar to “redlining” in the off-line 
world. Weblining creates segmenting in which it is our data pro- 
files that decide the price that we pay, the services we obtain, and 
our access to new products and information. The danger is that 
weblining will hinder the kind of increased opportunity that access 
to information should provide. 

The third economic harm on the Internet is a deadweight cost. 
Consumers are buying less or not buying at all because of their 
worries about privacy. In a November 2000 report, the Forrester 
Research Group found that such consumer concern led U.S. compa- 
nies to have $12.4 billion in lost sales in the year 2000 alone. 

Finally, there are noneconomic harms. Cyberspace is not only a 
place for shopping; it is our new arena for public and private activi- 
ties. Yet, as Professor Jerry Kang of UCLA Law School has written 
of cyberspace, it is a place where you are invisibly stamped with 
a bar code. In the absence of strong privacy rules, Americans will 
hesitate to engage in cyberspace activities, including those that are 
most likely to promote community. 

Allow me to conclude. It is my hope that the Senate Commerce 
Committee will respond to the situation I have described with in- 
troduction of strong consumer privacy legislation. Thank you for 
the opportunity to testify. 

[The prepared statement of Mr. Schwartz follows:] 

Prepared Statement of Paul M. Schwartz, Professor of Law, 
Brooklyn Law School 

Mr. Chairman and Members of the Committee: My name is Paul Schwartz, and 
I am a Professor of Law at Brooklyn Law School in Brooklyn, New York. For over 
a decade, I have been writing and teaching about privacy law and other areas of 
information law. My publications about privacy law include two co-authored reports 
carried out at the request of the Commission of the European Union. I have also 
taught courses in areas such as privacy law, Internet law, telecommunications law, 
and the “Law of Electronic Democracy.” 

Millions of Americans now engage in daily activities on the Internet, and under 
current technical configurations, their behavior — our behavior — creates detailed 
stores of personal data. The Internet is an interactive telecommunications system, 
which means that computers attached to it do not merely receive information but 
also transmit it. Social, political and commercial life on the Internet create a finely 
grained data map of our interests, our beliefs, and our interpersonal relationships. 



32 


This personal information also has great commercial value; it is no exaggeration to 
consider personal data to be the gold currency of the Information Age. 

It is, therefore, fitting that the Senate Commerce Committee is examining Inter- 
net privacy. I am honored to be here today to share my views regarding privacy law 
in cyberspace. 

There are three topics that I wish to address: (1) the European Data Protection 
Directive and the Safe Harbor Agreement; (2) the weaknesses in the current “mar- 
ket” for online privacy (the problem of “privacy market” failure); and, finally, (3) the 
nature of the privacy harms that individuals currently suffer in the online realm. 

I. THE EUROPEAN DATA PROTECTION DIRECTIVE 

The Member States of the European Union (E.U.) have enacted a Data Protection 
Directive that seeks both to harmonize their national data protection laws at a high 
level and to restrict transfers of personal data to third-party nations that lack “an 
adequate level of protection.” ^ In cases where such adequate protection is not 
present, the Directive provides exceptions that permit transfers if, among other cir- 
cumstances, the party receiving the data has agreed by contract to provide adequate 
protection.^ 

These national and European-wide measures for information privacy pose signifi- 
cant challenges to the free flow of personal data to the United States. Whether or 
not a U.S. company has “adequate” measures for information privacy requires exam- 
ination of the protections available for specific data, including the safeguards offered 
by law and relevant business practices.^ As a general matter, the European view 
regarding United States privacy law has been skeptical.^ 

In response to E.U. Data Protection Directive, the U.S. Commerce Department 
drafted and negotiated E.U. approval of “Safe Harbor” standards for privacy.® The 
Commerce Department sought to bridge differences in privacy approaches between 
the two countries and to “provide a streamlined means for U.S. organizations to 
comply with the Directive.”® As the Commerce Department states, “The safe har- 
bor — approved by the EU in July of 2000 — is an important way for U.S. companies 
to avoid experiencing interruptions in their business dealings with the EU or facing 
prosecution by European authorities under European privacy laws.” ^ Under Ambas- 
sador David Aaron’s leadership, the Commerce Department also obtained E.U. 
agreement to waive sanctions against any American companies that follow these 
standards. American companies in the Safe Harbor are deemed to provide “adequate 
protection” for the personal data of Europeans. 

What does the Safe Harbor provide? Americans companies that sign up for it 
promise to provide a range of Fair Information Practices for the personal informa- 
tion of Europeans. Fair Information Practices are the building blocks of modern in- 
formation privacy law; they are centered around four key principles: (1) defined obli- 
gations that limit the use of personal data; (2) transparent, that is open and under- 
standable, processing systems; (3) limited procedural and substantive rights; and (4) 
external oversight.® These principles are not a European invention, but have been 
present in information privacy law and policy in the U.S. since the era of mainframe 
computers in the 1970’s. 

After a slow start for the Safe Harbor, more American companies are signing up 
for it. Perhaps the single most exciting development in the last year in U.S. privacy 
law has been this new willingness of corporate America to pledge allegiance to the 
most important Fair Information practices. Among the corporations now on the Safe 
Harbor list are Intel, Hewlett Packard, and Acxiom Data. Moreover, Microsoft has 
announced that it plans to sign on to the Safe Harbor agreement. These are, of 
course, all leading Information Technology corporations, and Acxiom is also a lead- 
ing collector of personal data. Based in Little Rock, Arkansas, Acxiom Data supplies 
data infrastructure and technology services to help companies and organizations 
better understand customer behavior. It speaks well for the business compatibility 
of the Safe Harbor that these companies have agreed to it. 

Under the terms of the Safe Harbor, however, American companies pledge to pro- 
vide Fair Information Practices only for the personal data of European citizens. The 
question then becomes: why should American citizens be entitled under law only to 
a lesser level of privacy protection? 

II. WEAKNESS IN THE CURRENT PRIVACY MARKET 

In this part of my testimony, I wish to consider the foundation conditions for a 
functioning “privacy market” and to explore the weaknesses in the existing market 
for personal information. 

A well-functioning privacy market requires sellers (i.e. consumers) to be able to 
bargain over the terms under which they will disclose their personal data, and buy- 



33 


ers (i.e. data processors) to offer different packages and prices for this personal in- 
formation. In such a market, “privacy price discrimination” will emerge. Privacy 
price discrimination involves a consumer seeking different packages of services, 
products, and money in exchange for her personal data, and a data processing com- 
pany differentiating among consumers based both on their varying preferences 
about the use of their personal data and the underlying value of the information. 

To illustrate this point, imagine two hypothetical consumers: Marc and Katie. 
Marc cares deeply about how his personal information is used; Katie does not. A 
surplus from cooperation under a property regime requires at a minimum, however, 
that Marc and others with similar preferences receive more than their “threat 
value” before disclosure. The term “threat value” refers to the “price” that Marc 
would place on not disclosing his personal information. Beyond receiving the threat 
value, privacy price discrimination also requires further elasticity in meeting more 
subtle privacy preferences of Marc. Under the current regime, however, companies 
generally have no need to offer Marc greater services or more money for his per- 
sonal data than they offer Katie. 

The failure in the privacy market can be attributed to at least four causes: (1) 
information asymmetries; (2) collective action problems; (3) bounded rationality; and 
(4) limits on “exit” from certain practices. We should briefly consider each of these 
four shortcomings in the privacy market. 

A. Information Asymmetries 

The first weakness in the privacy market is that most visitors to cyberspace lack 
essential knowledge of how tbeir personal information will be processed or how tech- 
nology will affect data collection. Due to this “knowledge gap,” development through 
a privacy marketplace of rules for personal data use are likely to favor the entities 
with superior knowledge — online industry rather than consumers. At present, even 
relatively basic Internet privacy issues, such as “cookies,” are met with widespread 
consumer ignorance. 

Cookies are alphanumerical files that Web sites place on the hard drives of their 
visitors’ computers. Cookies are a ready source of detailed information about per- 
sonal online habits, but consumers generally do not even know where cookie files 
are stored on their computer. Beyond cookies, widespread information as 3 mimetries 
involve other aspects of the Internet’s technical infrastructure. As a result, “negotia- 
tions” about the use of personal information occur with one party, the consumer, 
generally unaware that bargaining is even taking place! 

B. The Collective Action Problem 

The second difficulty in the Internet privacy market is a collective action problem. 
The need is for individual privacy wishes to be felt collectively in the market. The 
good news first: a group of privacy-promoting organizations are emerging. Among 
these institutions are: (1) industry organizations that support self-regulation by 
drafting codes of conduct; (2) privacy seal organizations, such as TrustE and 
BBBOnline; (3) “infomediaries” that represent consumers by offering to exchange 
their data only with approved firms; (4) privacy watchdog organizations that bring 
developing issues to public attention; and (5) technical bodies, such as the World 
Wide Web Consortium (W3C), engaged in drafting Internet transmission standards, 
including the Platform for Privacy Preferences (P3P). P3P is a software trans- 
mission protocol that seeks to allow the individual to control her access to Web sites 
based on her privacy preferences and the practices at a given site. 

Despite these promising developments, most of us are not yet able to free-ride suc- 
cessfully on the efforts of those who are more savvy about data privacy on the Inter- 
net. As many experts have pointed out, current collective solutions, such as industry 
self-regulation and privacy seals, are flawed. As an example, the FTC’s 2000 Study, 
Privacy Online, points to the lack of effective enforcement in current models of in- 
dustry self-regulation and the confusing implementation of privacy seal programs.® 
For that matter, the existence of competing privacy seal programs raises the risk 
of forum shopping by Web sites that are hoping for weaker enforcement from one 
seal service rather than the other. 

C. Bounded Rationality 

The third difficulty with the privacy market is “bounded rationality,” a concept 
developed by behavior economists.'^® Scholarship in behavioral economics has dem- 
onstrated that consumers’ general inertia towards default terms is a strong and per- 
vasive limitation on free choice. This does not mean that consumers are all sheep, 
but it does mean that default rules and form terms can have great psychological 
force and are likely to reward those who otherwise have greater power. 

As a result of this current power dynamic, individuals faced with standardized 
terms and expected to fend for themselves with available technology may simply ac- 



34 


cept whatever terms are offered by data processors. Indeed, the difficulties with 
bounded rationality extend not only to personal information as traditionally under- 
stood but a new and potentially risky set of personal information, namely “privacy 
meta-data.” This point is worth elaborating. 

Meta-data are information about information. For example, use of telecommuni- 
cations now creates “communications attributes,” which are valuable data about 
consumers’ service and calling preferences (call waiting, caller ID, DSL lines, etc.). 
The use of privacy filtering technology, such as P3P, creates another kind of meta- 
data, namely information about one’s privacy preferences. Ironically, these meta- 
data will possibly contribute to additional privacy invasions. Already in the offline 
world, direct marketers generate and sell lists of people who have interest in pro- 
tecting their privacy. Filtering will therefore create the possibility of further privacy 
violations unless customers prove able not only to negotiate for their privacy but for 
the privacy of data about their privacy preferences. 

Bounded rationality points to the need to find ways to permit informed decision- 
making about use of one’s personal information and personal meta-information at 
the least cost to a consumer. The risk is that the current privacy market will lead 
only to cyber-agreements that represent new kinds of contracts of adhesion. In other 
words, new technology may lead only to speedy ways to generate poor contracts. 

D. Limits on Exit 

Finally, cyberspace, in certain of its applications, turns out to be far from friction- 
free. In particular, when limits exist on “exit” from certain practices, the danger is 
that online industry will be able to “lock-in” a poor level of privacy on the Web. 
Again, cookies provide a good example — cookies demonstrate how privacy “lock-in” 
takes place. A ready source of detailed information about personal online habits and 
in widespread use, cookies are difficult to combat. Mastery of advanced settings on 
one’s Web browser, the downloading of “cookie-cutting” software, and some public 
protests about more egregious practices have helped, but not solved this problem. 
As a joint paper of the Electronic Privacy and Information Center (EPIC) and 
Junkbusters has noted, “Those consumers, who have taken the time to configure 
their browsers to notify when receiving, or reject cookies, have found that web surf- 
ing becomes nearly impossible.” 

Moreover, beyond cookies, the next privacy melt-down is never far away. A pos- 
sible source for the next crisis are so-called “Web bugs,” also known as “clear GIF,” 
which permit Web sites to snoop on visitors by use of code that occupies only one 
pixel on the screen. To return to my earlier point about information asymmetries, 
an even lower level of consumer awareness exists about Web bugs than about cook- 
ies. 

As a final example of the emerging “lock in” for informational privacy, many of 
us enter cyberspace anchored in real space settings that limit our ability to nego- 
tiate. The modern workplace demonstrates this phenomenon. As the New York 
Times concludes, “the debate over employee privacy is over.” 12 it is over because 
“widespread, routine snooping on employees is no longer a threat but a fact.’’^^ Or, 
as Business Week states, “When it comes to privacy in the workplace, you don’t have 
any.” The emerging Hobson’s choice for Americans on the Internet is to sacrifice 
either privacy or access to the Internet. 

Let us conclude this section by returning to Marc and Katie, our two consumers 
with different privacy preferences. Due to the pervasive failure in the privacy mar- 
ket in the United States, commercial entities generally obtain Marc’s and Katie’s 
personal data for the same low price. As a result, a subsidy is given to those data 
processing companies that exploit personal data. Put simply, the true “cost” of per- 
sonal data is not charged these organizations. One likely result of subsidized per- 
sonal information is that companies will over-invest in reaching consumers who do 
not wish to hear from them. Personal information at below-market costs will also 
lead companies to under-invest in technology that will enhance the expression of 
one’s privacy preferences. 

III. ECONOMIC AND NON-ECONOMIC HARMS CAUSED BY PRIVACY VIOLATIONS 

It may be difficult at times to understand the nature of privacy harms that occur 
in cyberspace. And it is certainly true, as Professor Fred Cate and others have re- 
minded us, that benefits are associated with the sharing of information. 1 ® Why 
should there be limits on the use of personal data? In my view, the nature of the 
harms to personal privacy on the Internet fall into two categories: (1) the economic, 
and (2) the non-economic. 



35 


A. Economic Harms 

Privacy violations cause economic harms to consumers by: (1) causing an ex- 
change of our personal information at lower rates than a fully functioning privacy 
market would permit; and (2) squelching democratic opportunity through emerging 
practices such as “Weblining.” Finally, privacy violations also lead to: (3) a lack of 
consumer confidence that harms the development of e-commerce. 

1. Personal Data at Below “Market” Rates 

I have proposed that the true cost of personal data is not imposed on organiza- 
tions — the personal data of consumers (the Marc’s) who care about privacy and 
those that do not (the Katie’s) can be obtained for the same price. This market fail- 
ure leads to both deadweight losses and distributional consequences. The dead- 
weight losses follow from the existence of consumers who would engage in more or 
different kinds of transactions on the Internet, but refuse to do so because of fears 
about how their personal data will be collected and used. Polls have consistently 
shown that many Americans decline to engage in cyberspace transactions because 
of such worries. In this fashion, a deadweight loss reduces the economic surplus 
that would be created were privacy price discrimination in place. Such a loss, per- 
haps somewhat hidden during the Internet’s early stages of rapid growth, will be- 
come more visible as e-commerce enters a slower stage. As a columnist in Silicon 
Valley’s Mercury Center warns, “almost all of the online retailers hurriedly launched 
in 1998 and 1999 now appear doomed to disappear — not because e-commerce isn’t 
going to be important, but because consumers aren’t moving fast enough toward on- 
line shopping to sustain today’s Web retailers.” 

The failure in the privacy market also involves a distribution away from Marc and 
even Katie and towards data processing companies. Companies have no need to 
offer Marc greater services or more money for his personal data. In fact, they may 
not even meet Katie’s more modest privacy threat value. 

2. Weblining and the Limiting of Opportunity 

The benefits of access to information, including personal information, can cer- 
tainly be positive. Yet, the processing of personal data can also create significant 
social risks. If used improperly, profiling will squelch opportunity rather than pro- 
mote it. Consider the emerging practice of “Weblining,” which is similar to “red-lin- 
ing” in the real world. Weblining, as Business Week tells us, is the “Information Age 
version of that nasty old practice of redlining, where lenders and other businesses 
mark whole neighborhoods off-limits.” Weblining sews far-flung threads of per- 
sonal data, including data about one’s ethnic background or religion, into profiles 
that are used to sort people into categories and predict how they will behave. It cre- 
ates segmenting in which it is our data profiles that decide the price that we pay, 
the services we obtain, and our access to new products and information. Weblining 
sometimes even relies on so-called “neural networks,” which are digital systems that 
evolve over time in a fashion both independent of their developers and impossible 
to predict. 

'The danger is that Weblining will hinder or even reverse the kind of increased 
opportunity that access to information can stimulate. It can be used to limit eco- 
nomic and informational possibilities for individuals and different groups in a fash- 
ion that reflects and reinforces existing prejudices and mistaken beliefs. As Business 
Week warns, “Weblining may permanently close doors to you or your business.” 

3. Consumer Uncertainty Harms the Development of E-Commerce 

Americans may not fully understand the fashion in which Internet snooping oc- 
curs, but they do have a growing awareness that a privacy problem exists in cyber- 
space. As I have already noted above regarding the resulting deadweight losses, con- 
sumer worries about privacy are inhibiting electronic commerce. I wish to expand 
briefly on this point. 

The Pew Research Center’s “Internet and American Life” project furnishes in- 
sights into the dynamic of how the lack of Internet privacy harms e-commerce. The 
Pew Center’s Internet Life Report, Trust and Privacy Online (August 20, 2000) 
found, first, that the leading fear of Internet users concerned their privacy. Accord- 
ing to this survey, eighty-four percent of Internet users were worried about 
“[blusinesses and people you don’t know getting personal information about you and 
your family.”®® The Pew Research Center’s report also noted that “[a] strong sense 
of distrust shades many Internet users view of the online world and the uneasiness 
has grown in the past two years.” 

The Pew Research Center identified a relation between fears about privacy and 
“lower participation in some online activities, especially commercial and social ac- 
tivities.”®® In similar terms, a Business WeekfUarns Poll from March 2000 found 



36 


a high level of concern about privacy from people who have gone online but not yet 
shopped there.^^ Finally, the Forrester Research Group found in late 1999 that pri- 
vacy concerns had led to $2.8 billion in lost sales that year alone.^'^ Uncertainty 
about privacy is harming the development of e-commerce. 

B. Non-Economic Harms 

In addition to the economic harms that follow from the lack of strong privacy 
standards on the Internet, non-economic harms also take place. Cyberspace is not 
only a place for shopping; it is our new arena for public and private activities. 
Cyberspace demonstrates information technology’s great promise: to form new links 
between people and to marshall these connections to increase collaboration in polit- 
ical and other activities that promote democratic community. In particular, cyber- 
space has a tremendous potential to revitalize democratic self-governance at a time 
when a declining level of participation in communal life endangers civil society in 
the United States. 

Consider the Supreme Court’s decision in 1997 in ACLU v. Reno.^^ In striking 
down certain provisions of the Communication Decency Act, the Supreme Court de- 
clared its intention to protect the “vast democratic fora” of the Internet.^® The Su- 
preme Court considered the Internet to be a speaker’s paradise; as the Court noted, 
“this dynamic, multifacted category of communication” permits “any person with a 
phone line” to “become a town crier with a voice that resonates farther than it could 
from any soapbox.” This language is similar to language used by the political sci- 
entist Benjamin Barber, who has defined civil society as the free space in which 
democratic attitudes are cultivated and conditioned.^® In Professor Barber’s words, 
“The public needs its town square.” 

Without privacy, however, the implications of hanging out at the town square are 
dramatically changed. The Supreme Court’s decision in Reno v. ACLU is also illus- 
trative in this regard. The Supreme Court praised the Internet’s potential for fur- 
thering free speech; for the Court, the Internet represented a “new marketplace of 
ideas.”®® We must note, however, a paradox in this regard: while listening to ideas 
offline, in Real Space, generally does not create a data trail, listening in cyberspace 
does. The Internet’s interactive nature means that individuals on it simultaneously 
collect and transmit information; as a result, merely listening on the Internet be- 
comes a speech-act. A visit to a Web site or a chat room generates a record of one’s 
presence. 

To extend the Supreme Court’s metaphor, the role of town crier in cyberspace is 
often secretly assigned — a person can take on this role, whether or not she seeks 
it or knows afterwards that she has been given it. Already a leading computer hand- 
book, the Internet Bible, concludes its description of the low level of privacy in cyber- 
space with the warning, “Think about the newsgroups you review or join — they say 
a lot about you.”®® If cyberspace is to be a place where democratic discourse occurs, 
the right kinds of rules must shape the terms and conditions under which others 
have access to our personal data. The issue is of the highest importance; the Inter- 
net’s potential to improve democracy will be squandered unless we safeguard the 
kinds of information use that democratic community requires. 

A poor level of privacy in cyberspace threatens tbe promise of the Internet: it dis- 
courages political and social participation in this new realm. As Professor Jerry 
Kang has written of cyberspace, it is a place where “you are invisibly stamped with 
a bar code.”®® In the absence of strong privacy rules, Americans will hesitate to en- 
gage in cyberspace activities — including those that are most likely to promote demo- 
cratic self-rule. 


CONCLUSION 

The E.U. Data Protection Directive and the U.S. Commerce Department’s Safe 
Harbor indicate a possibility of harmonizing global data flows at a high level of pri- 
vacy protection. The question then becomes the kind of privacy protection that 
should be in place for personal data use within the U.S. In my testimony today, I 
have identified numerous grounds for concluding that the “privacy market,” that is 
the market in which personal data are collected and exchanged in the U.S., will not 
alone produce the right level of information privacy. Finally, I have sought to iden- 
tify a basic taxonomy of economic and non-economic harms occuring in the online 
realm. It is my hope that the Senate Commerce Committee will respond to this situ- 
ation with introduction of strong consumer privacy legislation. 

Thank you for the opportunity to testify today. 



37 


Endnotes 

1. Directive 95/46/EC of the European Parliament and of the Council of 24 Octo- 
ber 1995 on the protection of individuals with regard to the processing of personal 
data and on the free movement of such data, Art. 25, O.J. of the European Commu- 
nities, no.L281, 31 (Nov. 23, 1995) [hereinafter European Directive]. 

2. European Directive, at Art. 26. 

3. European Directive, at Art. 25(2). See Working Party on the Protection of Indi- 
viduals with Regard to the Processing of Personal Data, First Orientations on Trans- 
fers of Personal Data to Third Countries — Possible Ways Forward in Assessing Ade- 
quacy, XV D/5020/97-EN final WP4 1-5 (June 26, 1997). 

4. To make matters more complicated, the EU Directive’s provisions on data 
transfers are enforced by the Member States, which makes their current views and 
future action critical. 

5. Int’l Trade Admin., Electronic Commerce Task Force, Safe Harbor Principles 
(Nov. 4, 1998) <http: II www.ita.doc.gov ! ecom! menu.htm>. 

6. U.S. Commerce Dept, Safe Harbor Overview, (visited July 9, 2001) <http:l ! 
www.export.gov. safeharbor I SafeHarborInfo.html>. 

I. Id. 

8. For a description of early proposals regarding fair information practices, see the 
Privacy Protection Study Commission, Personal Privacy in an Information Society 
14- 15, 500-502 (1977); David Flaherty, Protecting Privacy in Surveillance Societies 
306-307 (1989). For analysis of fair information practices as the building blocks of 
information privacy, see Paul M. Schwartz, Privacy and the Economics of Personal 
Health Care Information, 76 Tex. L.Rev. 56-67 (1997); Paul M. Schwartz, Privacy 
and Participation, 80 Iowa L.Rev. 563-564 (1995). 

9. FTC, Privacy Online: Fair Information Practices in the Electronic Marketplace 
(May 2000). 

10. For citations to the relevant academic literature, see Paul M. Schwartz, Be- 
yond Lessig’s Code for Internet Privacy, 2000 Wise. L. Rev. 744, 768-69. 

II. Junkbusters & the Electronic Privacy Information Center, Pretty Poor Pri- 
vacy: An Assessment of P3P and Internet Privacy 6 (June 2000) <http:l ! 
www.junkbusters.com ! ht ! en Ip3p.html>. 

12. Jeffrey L. Seglin, As Office Snooping Grows, Who Watches the Watchers!, N.Y. 
TIMES, June 18, 2000, at Bus. Sec. 4. 

13. Id. 

14. Larry Armstrong, Someone to Watch Over You, Business Week, July 10, 2000, 
at 189. 

15. See, e.g., Fred H. Cate, Principles of Internet Privacy, 32 Conn. L. Rev. 877 
( 2000 ). 

16. For a recent summary and discussion of the poll data. See Federal Trade Com- 
mission, Privacy Online 2 (May 2000). As the FTC states, “surveys show that those 
consumers most concerned about threats to their privacy online are the least likely 
to engage in online commerce, and many consumers who have never made an online 
purchase identify privacy concerns as a key reason for their inaction.” Id. 

17. Mike Langberg, Low cost net devices not about to push aside PC, Mercury Cen- 
ter, July 14, 2000. 

18. Marcia Stepanek, Weblining, Bus. Wk., Apr. 3, 2000, at 2. {http:ll 
WWW. businessweek.com 12000 / 00 — 141 b367501 7.htm>. 

19. Id. 

20. Pew Internet & American Life Project, Trust and Privacy Online 4 (Aug. 20, 
2000 ). 

21. Id. at 12. 

22. Id. at 16. 

23. BusinessWeek! Harris Poll: A Growing Threat, Bus. Wk., Mar. 20, 2000, at 1. 
<http:l I www.businessweek.com 1 2000 1 00 — 12 1 b3673010.htm>. 

24. Trails of Personal Info Compromise Net Shopper’s Privacy, USA Today, Dec. 
20, 1999. 

25. 117 S.Ct. 2329 (1997). 

26. Id. at 2434. 

27. Reno v. ACLU, 117 S.Ct. 2329, 2344 (1997). 

28. Benjamin Barber, A Place for Us 76 (1998). 

29. Id. 

30. Reno, 117 S.Ct. at 2352. 

31. Brian Underdahl & Edward Willett, Internet Bible 247 (1998). 

32. Jerry Kang, Information Privacy in Cyberspace Transactions, 50 Stan. L. Rev. 
1193, 1198 (1998). 



38 


The Chairman. Thank you, Dr. Schwartz. 

Senator McCain. 

Senator McCain. Thank you, Mr. Chairman. 

Professor Schwartz, you state that polls have consistently shown 
that many Americans decline to engage in cyberspace transactions 
because of concerns about privacy. Why, if it is in the business’s 
interest to improve privacy protections, do you think businesses 
aren’t doing it? 

Mr. Schwartz. Well, I think it is for the reasons that I have de- 
scribed in my testimony — we don’t have a well-functioning privacy 
market currently. I think there are a number of reasons for this 
market failure, one of which is a kind of collective action problem. 
It is difficult for all of our privacy needs to be felt collectively in 
the market. 

My hope, by the way. Senator, is that in time the market will 
respond, and my view is the legislation that the Committee is dis- 
cussing will create the kind of environmental shock to the existing 
privacy market on the Internet that will create privacy-enhancing 
organizations and companies. 

Senator McCain. Mr. Rotenberg, a report published by Con- 
sumers International in January suggested there was widespread 
noncompliance in Europe with the EU’s privacy directive, which as 
we all know imposes very strict limitations on the collection, proc- 
essing, storage, and disclosure of personal data, both offline and on- 
line. What do you think this says about the possible effectiveness 
of laws as a means of ensuring privacy protections? 

Mr. Rotenberg. Senator, the study by Consumers International 
focused on a very narrow issue in the area of privacy protection, 
and that was simply whether notices were being posted by compa- 
nies that were operating on the Internet. The privacy directive in 
the European Union provides a great many rights and also creates 
institutions, such as Federal-level privacy officials that actively in- 
tervene on behalf of consumers to protect privacy interests. So I 
think taken as a whole, the privacy approach in Europe works fair- 
ly well, but it is certainly the case that on some of these specific 
matters, like the posting of privacy notices, there is always a ques- 
tion of compliance, and the Cl report reflected this. 

Senator McCain. Do you believe that there are any limitations 
that the First Amendment may impose on our ability to legislate 
privacy restrictions, as opposed to countries that don’t have a First 
Amendment? 

Mr. Rotenberg. Yes, I think there are, particularly in the areas 
of political speech, of course. Our very important First Amendment 
tradition, which sanctifies the right of people to speak even when 
the majority may disagree with them, weighs very heavily against 
any legislation by Congress. But here, of course, we are not really 
talking about political speech. We are talking about business prac- 
tices, commercial communications, and there the Court has 
recognized 

Senator McCain. But communications on the Internet could 
be 

Mr. Rotenberg [continuing]. A different approach. 

Senator McCain [continuing]. Interpreted as a form of speech ob- 
viously. 



39 


Mr. Rotenberg. Yes. And I think the Court would certainly con- 
sider the nature of the communications, as it has done in a number 
of recent cases. Both Fred Cate and I have discussed this issue, 
and there is the U.S. West case in the Tenth Circuit, where I think 
there was quite a bit of deference shown to commercial communica- 
tions, but the more recent cases from the D.C. Circuit and the D.C. 
District Court suggest that courts are willing to uphold privacy reg- 
ulations where the nature of the speech is purely commercial. 

Senator McCain. Mr. Cate, the issue of opt-in versus opt-out of 
any proposed legislation seems to dominate a lot of our debate and 
discussion. How critical is this element to this overall debate in re- 
gards to privacy? 

Mr. Cate. Well, Senator, from my view, opt-in as a legislative re- 
quirement across the board on the Internet is fatal. It is a tremen- 
dous problem exactly for the reasons I outlined in my testimony. 
That is not to say there are no places where opt-in might not be 
appropriate. For example. Congress wisely requested when col- 
lecting information online from very young children, that there be 
opt-in consent from the parents. That seems entirely appropriate. 

One problem with most online legislation, though, is that it does 
not make any distinctions between what most of us might consider 
private or sensitive information and all other information. So to 
use opt-in, the most restrictive possible privacy standard available 
to apply to all of that information, information that frankly might 
not be considered very private and information that could be con- 
sidered private, is not only constitutionally fatal, but it also really 
creates an impediment without creating any benefit along with it, 
because it protects under opt-in information that is routinely dis- 
closed or seen in the offline world, and this just makes no sense 
from a market perspective. 

Senator McCain. I would be glad to listen to Mr. Schwartz and 
Mr. Rotenberg’s comments on that as well, but I think we also need 
to put this into context. Every time we make a phone call, it is re- 
corded. Every time we go to Safeway and pay with a credit card, 
it is recorded. We are in a situation, not just on the Internet, but 
basically where all of our activities are recorded and are, to some 
degree, public property, which many of us are either oblivious to 
or don’t care about. 

But the fact is our lives now are not just confined to betrayal of 
privacy on the Internet. It is basically the way we conduct our com- 
munications and our transactions in our daily lives. 

Go ahead, Mr. Schwartz and Mr. Rotenberg. 

Mr. Schwartz. Senator McCain, I absolutely agree with you 
about this, about your point about these new data trails that we 
leave, not only on the Internet but at the supermarket and making 
calls. What I have argued for the in the past is thinking about the 
right mixture of both opt-in and opt-out rules in legislation. I think 
the touchstone should be trying to figure out how to make privacy 
protection work at the least cost to consumers, including trans- 
action costs. And in my view, that is going to require a mixture of 
both kinds of rules. 

Senator McCain. Mr. Rotenberg. 

Mr. Rotenberg. Senator, I will say that I think the opt-in ap- 
proach reflects the common-sense approach that before business 



40 


makes use of your information for another purpose, it should ask 
your permission. And this is the sense that most people have about 
the use 

Senator McCain. At Safeway? 

Mr. Rotenberg. Well, I think if Safeway is actually planning to 
sell your data, yes, and to sign up for one of those programs, in ef- 
fect you are opting in. If they were to take the data — it is an inter- 
esting example, in fact. If they were to take the data from you after 
you had made the decision not to opt into their program, I think 
virtually everyone would agree that that would be a violation of 
your privacy, and as to the example of telephone records, toll 
records and content and so forth, that information is subject to 
Federal law, and restrictions are in place, so that you do have some 
confidence when you make telephone calls, that information will 
not be disclosed. 

Senator McCain. Thank you, Mr. Chairman. 

The Chairman. We are alternating from side to side in order of 
appearance. 

Senator Rockefeller. 

Senator Rockefeller. In following up, Mr. Rotenberg, what you 
just said, in fact, this morning I received a phone call from a tele- 
phone company calling center, in which they said that somebody 
last night had made a long distance call at great expense using my 
credit card in New Jersey. 

Well, I have a son that goes to college in New Jersey 

[Laughter.] 

Senator Rockefeller [continuing]. But it was a very different 
area code number. And so — and partially in response to what Sen- 
ator McCain is saying — this was a very classic example of my 
rights being protected, because if somebody has that telephone 
number and is using it, which is obviously the case, and was using 
it in a very expensive fashion — it was a rather long phone call — 
they said, “We think you should cancel your credit card number,” 
which was against their business interests. 

Now, obviously we are going to get another one, but there is 
going to be a period of time when I am not going to be using, you 
know, their number. And so that was an example where my pri- 
vacy was specifically being protected, either because of Federal law, 
which you can answer, or because they desired to keep me on as 
a customer, because they knew that I would eventually see that 
there was somebody making an expensive phone call that simply 
had my number and had no right to have my number. 

Is that a Federal law making them do that? 

Mr. Rotenberg. Well, I don’t know if it is a Federal law that 
they contact you, but privacy laws certainly allow and anticipate 
that companies will need to do this. In fact, in the Federal wiretap 
statute, it is understood that telephone companies will from time 
to time listen in on telephone calls, and the reason that they do 
this is to assess the line quality, to measure their own service and 
to improve it. 

Privacy laws don’t operate as an obstacle to ensuring better serv- 
ice or enabling the detection of fraud where it is appropriate. The 
concern really arises when they take that information and say, 
“Well, maybe this would be of interest to someone else, or maybe 



41 


we should just disclose it”. That is where privacy law says, “This 
is really not related to the delivery of that service,” the perform- 
ance of our business responsibilities. Here we need to have some 
understanding about what the rules would be. 

But in your example, I don’t think there is anything there that 
is inconsistent at all, as you say, with privacy protection. 

Senator Rockefeller. Right. Mr. Cate, you indicated in your 
written statement that you oppose privacy laws. Does that also 
mean that you oppose laws that protect personal information col- 
lected from our children? 

Mr. Cate. Senator, I don’t believe I did indicate I opposed the 
privacy laws in my statement. If I gave the impression, it was in 
error. I certainly support privacy laws and certainly support pri- 
vacy. I oppose privacy laws that are unnecessarily expensive or 
don’t create a benefit at the same time. 

Senator Rockefeller. Now, this is exactly where I want to be, 
so you need to answer my question. 

Mr. Cate. I strongly support privacy laws that protect informa- 
tion collected from children. 

Senator Rockefeller. What about medical records? 

Mr. Cate. It would depend on the type of record and the 
context 

Senator Rockefeller. Now, what do you mean, it would depend 
upon? I mean, you say the word “depend upon,” and anybody can 
go in any direction and nobody will ever know. 

Mr. Cate. Senator, that is, in fact, the standard the Supreme 
Court has long used for evaluating the constitutionality of restric- 
tions on expression is how great is the interest and how closely 
does the law serve that interest. 

Senator Rockefeller. I don’t serve on the Supreme Court. I 
serve on the Commerce Committee. I would like an answer to my 
question. Do you support medical privacy? 

Mr. Cate. I certainly support medical privacy. Yes, sir. 

Senator Rockefeller. It depends on what nature. 

Mr. Cate. I support privacy. Yes. Absolutely. 

Senator Rockefeller. And absolute privacy or privacy abso- 
lutely? 

Mr. Cate. My support is absolute. I don’t believe you can have 
absolute privacy. 

Senator Rockefeller. OK. I will accept that. What about race? 

Mr. Cate. Excuse me. I 

Senator Rockefeller. Race, ethnicity. 

Mr. Cate. I believe your ethnicity is something that is in many 
cases reasonably discerned from your appearance, and so, no. I 
don’t believe 

Senator Rockefeller. I am talking about the Internet. I am not 
talking about face to face conversations. 

Mr. Cate. Well, I certainly don’t oppose the collection of that in- 
formation if you disclose it. 

Senator Rockefeller. Uh-huh. 

Mr. Cate. In fact. Federal law requires the disclosure of that in 
many instances. 

Senator Rockefeller. Now, wouldn’t regulations — if you op- 
posed these things or at least several of these things, these regula- 



42 


tions would impose a cost on industry, but you accept that cost on 
industry. 

Mr. Cate. I accept that cost if it generates a benefit that exceeds 
that cost, of course. 

Senator Rockefeller. What do you mean by “it creates a ben- 
efit”? 

Mr. Cate. If the net gain to society from a law is greater than 
the cost it imposes on society, that would generally indicate to me 
it is a desirable law. 

Senator Rockefeller. Uh-huh. OK. Last year you wrote an arti- 
cle opposing privacy protections. That may have been where I got 
my first bias from, in terms of my question. It said, “you believe 
it is wrong for Congress to prohibit states from selling people’s 
home addresses and driver’s license information in an effort to pre- 
vent stalking or identity theft”. Do you believe this still? 

Mr. Cate. I believe that it is wrong for Congress to prohibit the 
states from making available the information that is in the public 
record unless it is first demonstrated that there is substantial risk 
of harm from that information being made available. At the time 
that Congress enacted the Driver’s Privacy Protection Act and since 
then, it has not made that demonstration, and so I believe it was 
an inappropriate law. 

Senator Rockefeller. Would the other two witnesses be willing 
to comment? 

Mr. Rotenberg. Well, I think contrary to what Fred Cate has 
said, in recent opinions, the Trans Union versus FTC, and the 
RISC versus the FTC, the Courts have held that, in fact, a showing 
has been made by Congress in the area of financial privacy that 
outweighs the commercial speech interest, so actually I am not 
quite sure what his point is. I mean, he is correct that there is an 
analysis under the so-called intermediate level scrutiny view of 
these types of regulations that requires some demonstration of 
harm, but the recent decisions, I think, bode well for privacy. 

Now, as to the Driver’s Privacy Protection Act, he may not be fa- 
miliar with this. I know Senator Boxer is, because she was involved 
in the passage of that legislation, but it flowed from a very unfortu- 
nate incident involving a young woman in California, and because 
of that, the state of California and subsequently the Congress 
passed legislation to place certain restrictions on access to DMV 
records. 

I think even though these points are fairly well established, 
there is still some risk in saying that we should not have privacy 
legislation unless we can show that a lot of harm has occurred. A 
great many people believe to day that they would like to have pri- 
vacy legislation, so that harm doesn’t occur. It would be a good rea- 
son to legislate, to avoid the harm that might otherwise take place. 
But I think the showing as to previous legislation has been estab- 
lished. 

Senator Rockefeller. My time is up. Dr. Schwartz. I don’t know 
if 

The Chairman. Yes. That’s all right. Go ahead. 

Mr. Schwartz. Very briefly, I supported the Driver’s Privacy 
Protection Act. I think people, when they get a driver’s license, ex- 
pect the state to use that for driving-related information and not 



43 


to have it turn into commercial use by private organizations, and 
I think the Driver’s Privacy Protection Act tried to limit the use of 
such information to only compatible usage. 

On the First Amendment issue, I do think there is going to be 
increased scrutiny of privacy legislations by Courts. I also believe, 
however, that constitutional privacy legislation can and should be 
crafted. The cases that we have heard reference to, the Trans 
Union opinion from the D.C. Circuit and the more recent District 
Court decision regarding the Individual Reference Services Group, 
a decision from April 30, 2001, I think indicate how Congress can 
do it. Namely, they have to carefully identify the particular notion 
of privacy and the interest to be protected, and then try to craft 
legislation narrowly to further that interest. 

The Chairman. That is what we have got to do. 

Senator Rockefeller. Thank you, gentlemen. 

The Chairman. Thank you. 

Senator Allen. 

Senator Allen. Yes. I would like to ask — each of these folks. I 
have a lot of questions. At least my microphone works. 

As far as the platform for privacy preferences, P3P, it seems to 
me that that is emerging possibly as an industry standard, and it 
is an automated way for users to be informed, knowledgeable, and 
obviously a way of the private sector handling it, and in putting 
the decisions in the hand of the consumers. Mr. Cate, what is your 
view of P3P as a development and a way of securing the privacy 
decisions that all of us share a concern about? 

Mr. Cate. Well, Senator, I think it is a terrific development, and 
I think it is a perfect example of the ways in which technologies 
may help consumers protect our own privacy, and frankly, do so far 
more effectively than law can, because it would work outside of just 
the reach of U.S. law. It would not be concerned with jurisdictional 
boundaries and things like that. 

I think we still have to have some degree of awareness of the 
fact, for example, that all of our computers today allow us to estab- 
lish whether we accept cookies or not. However, virtually none of 
us actually exercise that choice, so the fact that we may now have 
a technology available, readily available, affordably, in fact, at no 
additional cost available, that allows us to set our privacy pref- 
erences. It will simply be interesting to measure as an empirical 
matter how many people actually take the trouble to do so and 
then act consistently with that. 

Senator Allen. Mr. Cate, let me ask you some more questions 
here. I have been studying this privacy, various principles and leg- 
islation over the years, whether it was the Wyden-Burns bill or 
Senator McCain’s bill or Senator Rollings’ bills or Hatch-Leahy, 
and so forth and so on. Senator Edwards’ bill as well. 

Do you believe that whatever principles are applied in any legis- 
lation should apply to offline as — at least similarly as it does to on- 
line? 

Mr. Cate. Yes, sir, I do believe that. 

Senator Allen. Do you have an understanding of the preemption 
of state laws? What is your view on the preemption of state laws? 
I know you talked about opt-in and opt-out, but I am trying to get 
your views on a broader section than opt-in and opt-out. 



44 


Mr. Cate. I certainly think Internet commerce, online commerce, 
is one place where preemption would be appropriate. I am not, you 
know, generally — I mean, my own legal scholarship does not sup- 
port preemption as a general matter, but in a place where you have 
an intrinsically form of interstate commerce and which it is not — 
Mr. Rotenberg mentioned businesses facing 50 standards. Forget 
about that. It is consumers facing 50 standards that is the problem, 
and a single standard that a consumer 

I mean, imagine the complexity. We worry about the Gramm- 
Leach-Bliley complexity, but imagine if we were getting notices 
from every single state that were different, instead of the variety 
of notices that were seen under one Federal law. If there is ever 
a case for preemption, I believe this is it. 

Senator Allen. Well, as far as — in the event that there is a vio- 
lation of those privacy standards, how best would that be enforced? 

Mr. Cate. I believe the, if you will, sort of traditional enforce- 
ment mechanisms would be either through the Federal Trade Com- 
mission or through the states’ attorneys general, and that that 
would seem appropriate in this instance as well, so that states 
would continue to play a critical role in enforcing these standards 
but would not play a role in writing these standards. 

Senator Allen. Implicitly, then, you are saying that you would 
not prefer or would not suggest a private right of action. 

Mr. Cate. I implicitly am saying that and am happy to say so 
explicitly as well, sir. 

Senator Allen. And why not? 

Mr. Cate. I think there are a number of reasons. One is, frankly, 
private rights of action tend to not be the best enforcement action, 
precisely because they become just add-on cases, so that if there is 
a complaint to the FTC, the FTC launches an investigation, and 
then we see the emergence of these additional cases, class actions 
and so forth, and it is unclear what is gained. You know, once the 
Government has acted or a state attorney general has acted, has 
brought a case, what the additional benefit is of these other cases. 

Also I think the potential damages are quite significant. Again, 
my good friend Mr. Rotenberg used the example of 500 or $1,000 
incident, but if you take an online service provider that has, say, 
20 million customers, and you have one single disclosure of infor- 
mation and you multiply it $1,000 times 20 million customers, I 
think that sort of fairly modest fine could be seen as fairly puni- 
tive. 

Senator Allen. I would like to ask Mr. Rotenberg and Mr. 
Schwartz to comment on the impact, to the extent that they can, 
on United States companies due to the European Union’s privacy 
directive, what impact that has had on consumers, but mostly to 
U.S. companies in Europe, if either of you could comment on that. 

Mr. Rotenberg. Senator, I can’t speak for U.S. companies, but 
I can say this, that as a result of the EU directive and the safe har- 
bor arrangement that was negotiated between the United States 
and Europe, European consumers have now at least a bit of con- 
fidence that when they do commerce with U.S. firms, they will get 
the type of privacy protection that has been traditionally associated 
with European privacy law. It has, in effect, raised the standard 
of practice for U.S. firms, allowed further entry into European mar- 



45 


kets, and opened up new commercial opportunities, and I think this 
is or should be good news. I mean, this is the way the privacy laws 
should operate. 

The goal is not to restrict business activity. The goal is to pro- 
mote consumer confidence and enable firms to conduct business in 
a way where privacy is protected, and I think the EU data directive 
and the safe harbor arrangement have furthered that goal. 

Senator Allen. Mr. Schwartz. 

Mr. Schwartz. As I testified, I am very encouraged by the im- 
portant information age companies that are signing up for the safe 
harbor. The EU directive has been a long time coming. It was en- 
acted in 1995. It took effect in 1998. European countries are now 
harmonizing their legislation to reflect its high standards, and now 
we have the safe harbor arrangement. I think we can hope, at 
least, that it is going to have a positive impact on American compa- 
nies. The hope is that American companies will provide the same 
level of protection to the personal information of American citizens 
that they do to the transfers of information from Europe that they 
are pledged to protect under the safe harbor. 

Senator Allen. Thank you. Thank you, Mr. Chairman. 

The Chairman. Very good. 

Senator Wyden. 

Senator Wyden. Thank you, Mr. Chairman. 

Gentlemen, last week Eli Lilly blamed a programming error for 
a problem where they accidentally disclosed email addresses of 
about 600 medical patients. My question to you is: Do you all be- 
lieve — we can just go right down the row, start with you, Mr. 
Rotenberg — that with a sensible privacy policy in this country, that 
those kinds of problems and ones that could conceivably far more 
serious would be less likely? 

Mr. Rotenberg. Yes, Senator. I think a good privacy policy, 
backed up with enforcement, would make those incidences less 
likely. 

Senator Wyden. Mr. Cate. 

Mr. Cate. No, Senator, I do not. In fact, I would note that infor- 
mation was collected pursuant to an opt-in requirement. 

Senator Wyden. Mr. Schwartz. 

Mr. Schwartz. I think that we have incidences of what has been 
called the “revenge effects” of technology. In the information age, 
it is very, very difficult to avoid the consequences of the kinds of 
networks that we see, so I don’t think privacy policies will make 
that go away. What we need is ongoing vigilance against these so- 
called “revenge effects,” as we have more and more use of tech- 
nology in our lives. 

Senator Wyden. Mr. Rotenberg, I think one of the key questions 
is whether we are going to have one standard or 50. I touched on 
it; so did you. I am curious whether you think that preemption, 
something that would ensure one standard, is inherently bad. In 
other words, if the U.S. Senate set the bar in the right place and 
did it in a fashion so as to ensure sufficient flexibility to promote 
the innovation that you are talking about, what would you be con- 
cerned about if the Congress went about it that way? 

Mr. Rotenberg. Well, Senator, as I said in my statement, my 
concern really flows from studying the history of privacy law in the 



46 


United States and seeing the Federal baseline enabling states to 
innovate and respecting our Federal form of government. I think 
those traditions are important ones, because states, in given that 
freedom, oftentimes will come up with better solutions. We have 
seen this. 

I mean, 10, 12 years ago, there was a lot of discussion about 
Caller ID, for example, and it was the state regulatory authorities 
that took the initiative there and led to the development of strong- 
er privacy protection for telephone customers. Today there is a big 
debate taking place about the privacy of genetic information, and 
this is another area where Congress has focused attention, but it 
has been the states that are leading. 

So I appreciate your point. I think if there were, as you said in 
your statement, meaningful privacy protection with preemption, 
that would certainly be better than a weak statute. But even mean- 
ingful privacy protection, I think, would lose an opportunity that 
history suggests we should try to preserve. 

Senator Wyden. Well, I want it understood that as we work on 
this issue, I want to make sure we don’t close off the opportunity 
for that state innovation that you are talking about. I mean, with 
the Electronic Signatures Bill, for example, we worked very hard 
to ensure that there was a role for the Federal Government, and 
there was a role for the states, and I would just hope that we could 
figure out a way at the end of the day to have one standard rather 
than 50 and do it so as to encourage the innovation you are talking 
about. 

Last question I wanted to ask each of you is: Is it the case that 
there are people today in the private sector who are doing the job 
right? Is there a company, more than one company, a set of organi- 
zations, that we can look to that really sets the bar in the right 
place? Why don’t we start with you, Mr. Schwartz, and just kind 
of go down the 

Mr. Schwartz. Sure. I think one interesting development has 
been marketing companies who are shifting to opt-in because of 
their belief that they will get higher quality information from con- 
sumers that they will be able to sell at a higher price. The dif- 
ficulty from the consumers’ viewpoint is — and this gets back to my 
point about the failure in the privacy market — it is hard to keep 
your information from being collected from the other companies. So 
you are kind of stuck there. You would rather do business with the 
good opt-in companies, but you are stuck with the Hobson’s choice 
of doing business with everyone. 

Another, I think, positive development is P3P. However, I don’t 
think technological solutions will be a silver bullet. I think you run 
into a chicken and the egg problem, where unless a lot of con- 
sumers decide they want to use P3P, and unless a lot of companies 
enable their sites to be P3P enabled, it may never take off. 

Senator Wyden. That would be your answer to the question, that 
P3P is in line with where you think we ought to be going in this 
country. 

Mr. Schwartz. My solution is that I think that both opt-in com- 
panies and P3P are part of the solution, but I don’t they are going 
to get us everywhere where we want to get without privacy legisla- 
tion. 



47 


Senator Wyden. OK. Mr. Cate. 

Mr. Cate. Senator, I don’t know that we necessarily see any per- 
fect solutions in the market, and I feel like I should also note in 
many instances privacy being a very personal concept, privacy is in 
the eyes of the beholder. I was interested to see that USA Today 
on Monday cited American Express’s privacy policy as one that it 
disliked the most. Three weeks ago in California, the chairman of 
the banking and finance Committee there in the assembly cited 
American Express as the finest example of a privacy policy that 
had been mailed out and had it distributed to every person in the 
audience in the hearing room, so that they could copy that exam- 
ple. So it is a little hard to figure out sort of what is best. 

But I would say, I think many online companies have done a 
very good job in being clear about what they do with information, 
about making clear about what consumers’ rights and opportunities 
are, and in really building consumer support and confidence. That 
is really the name of the game. 

Senator Wyden. Mr. Rotenberg. 

Mr. Rotenberg. Senator, we have had a simple measure for this 
question from the start. The question we ask is simply this: Are 
companies fully applying and enforcing fair information practices? 
That is the standard for us. On the technology, we think 

Senator Wyden. But is there a company out there — you are one 
of this country’s premier privacy authorities, and your view counts 
a lot with me. Is there a company or an organization in your view 
that is doing the job right today? 

Mr. Rotenberg. Senator, in my view, there are many companies 
that are doing a good job addressing privacy issues, but frankly 
part of trying to maintain our role in the privacy debate has re- 
quired also that we keep some distance from these companies. We 
don’t consult for them. We don’t advise, and we don’t endorse. We 
are interested solely in promoting the very best privacy protections 
for American consumers, and we will recognize when companies do 
a good job. But I would be very reluctant to name a company this 
morning. 

Senator Wyden. My time has expired, but be assured that I am 
going to ask you this question privately, because I value your view. 
Nobody is talking about endorsing a product. What we would like 
to know is whether there are some people out there that are doing 
the job right, so it can help us as we try to fashion legislation. 

I thank you, Mr. Chairman. 

The Chairman. Very good. Senator Stevens passes, so Senator 
Boxer. 

Senator Boxer. Thank you, Mr. Chairman. 

This is one of the most fascinating issues, because I think that 
it is simplistic to say there is an anti-business or a pro-business 
view, regardless of how you view this. My view is that when you 
look at the polling, it says 79 percent of those who did not buy gifts 
online in the 2000 holiday season said they did not like to send 
credit card or other personal information over the Internet. So 
some people aren’t going online, because they are a little afraid 
that their information will be sold. 

Also, concern about privacy is the single most cited reason Inter- 
net users give for not making purchases and for non-net users de- 



48 


dining to even go on the Internet. So I think if we do come up with 
something that is a smart, good, balanced plan here, I think we 
will, in fact, be helping consumers and business. That is why I 
work with John Kerry and Senator McCain, because I felt we did 
so try to come up with that balance. 

I wrote the Driver’s Privacy Protection Act, and it was, in fact, 
the State of South Carolina, Mr. Chairman, that questioned that 
Driver’s Privacy Protection Act. They wanted to sell people’s li- 
censes, and they appealed the constitutionality of this particular 
law all the way to the Supreme Court, and I was in the audience 
when the Court heard the case. It was a 9-0 decision, upholding 
the Driver’s Privacy Protection Act, and I think it is because of the 
nature of what was happening with these lists. 

They were being sold without people’s permission, and as Mr. 
Rotenberg said, it was a very tragic case that led me to write this 
particular law, because people were stalking other people, finding 
out who belonged to what license. So having said that, you would 
think that I am for the most — the strictest kind of privacy on the 
Internet. But I think what we are coming up with here is the fact 
that there isn’t a one — this is my view — a one-size-fits-all kind of 
deal. 

Having seen the Eli Lilly horrible situation, which Mr. Cate said, 
“Well, people opted in”, they didn’t opt-in to have the fact that they 
are taking a certain drug put out on the Internet with their email 
address. They opted in to be reminded about taking the medicine, 
so there was a misuse here. 

So, I guess, Mr. Cate, I want to ask you this, and you kind of 
answered it, but I want to get it on the record in a clearer way. 
Do you think that as we try to work together — and I really think 
there is a desire for us to do that — on a national privacy act re- 
garding the Internet — because you are right; if you have 50 dif- 
ferent laws, it is a nightmare. If you have this kind of law, do you 
think we could put our heads together and come up with opt-in and 
opt-out combinations, because frankly if I buy cookies online, I 
think opting out is saying, “Look, I opt-out. Something pops up on 
the screen; don’t sell my name to other cookie people”. You know, 
that is OK, and if somebody makes a mistake, and I get something 
about cookies, it is no big deal. But if I am taking a certain medi- 
cine, and I want to retain my privacy, that is a whole other deal. 

So do you think — do you see that as that we could, in fact, fash- 
ion something without being too specific, because I don’t think that 
is the way we should do it. Is there a way that we can have broad 
categories for opt-in and opt-out? 

Mr. Cate. Yes, Senator. I think that is absolutely correct. 

Senator Boxer. And may I ask the other gentlemen if they could 
see that there is a — did you want to add something to that or 

Mr. Cate. I always want to add something, but I will stop there 
in deference to my colleagues. 

Senator Boxer. Mr. Schwartz, Mr. Rotenberg, can you see that 
as a possible way for us to go? 

Mr. Schwartz. Yes. I absolutely think that a mixture of both 
opt-in and opt-out rules, as I said before, would be the way to take 
care of this at the least cost to consumers. I also think, to follow 
up on your point, that there is a tradition of privacy legislation 



49 


helping industry. An example would be the Fair Credit Reporting 
Act which I think contributed to the explosion in credit card use 
because of the consumer confidence about that information. 

I recently saw that cell phone manufacturers and cell phone com- 
panies are calling for legislation about wireless location dates, be- 
cause they think that cell phone use will stagnate unless there are 
limitations on how that information is used. So I think pro-privacy 
legislation can also help industry. 

Senator Boxer. And, of course, the Fair Credit Reporting Act 
does apply to the Internet, so that is good. 

Mr. Rotenberg, this idea of us working together on a combination 
of opt-in, opt-out? 

Mr. Rotenberg. Well, Senator, I have a somewhat different view 
of this issue than my colleagues. I think you need both opt-in and 
opt-out; I think they go together. But the relationship is a little bit 
different than the one described by Mr. Cate and Mr. Schwartz. I 
think you need opt-in at the front end to obtain real and meaning- 
ful consent, so that everyone understand what they are getting 
themselves into, and I think you need the right to opt-out on an 
ongoing basis if you decide that you are no longer satisfied with the 
relationship. I think it is the nature of all commercial transactions 
that common-sensically, we understand the exchange of things for 
value in this fashion. 

Now, I appreciate it is convenient to say, “Well, maybe if it is 
less sensitive information, opt-out would work, and for more sen- 
sitive information, opt-in might work”, and certainly bills have 
been done on that basis. I am aware of it. But I do believe that 
over time, the better approach, particularly because there is dif- 
ficulty always in drawing that line, is to say, “Let’s have explicit 
opt-in at the front end; let’s obtain meanin^ul consent, and let’s 
retain a right to opt out if someone isn’t happy”. 

Senator Boxer. Well, I agree with the two-to-one decision of the 
panel. Thank you. 

The Chairman. Thank you very much. 

Senator Nelson. 

Senator Nelson. Mr. Chairman, I did not make an opening 
statement, only to express my gratitude for the opportunity of 
being part of this Committee, and 

The Chairman. We will include your statement in the record if 
you want. 

Senator Nelson. Well, I am going to make it right now if 

The Chairman. Make yourself at home. 

Senator Nelson. I want to start out by saying that I, too, as Jay 
Rockefeller, would be outraged if there was a history of my trans- 
actions available to the public such as this. I come to this discus- 
sion today with some interest and some background in this area, 
for a Supreme Court decision back in the mid-90s entitled, Barnett 
Bank V. Bill Nelson, in my capacity as insurance commissioner, de- 
cided on a technical reason, that heretofore banks and insurance 
companies could merge, and I knew as insurance commissioner 
that there was the threat of the loss of privacy, that after Gramm- 
Leach-Bliley, we have seen exactly that. 

We have seen in the merger of banks and insurance companies 
that a person’s personally identifiable medical information, because 



50 


they had a physical exam in order to get a life insurance policy, 
and the life insurance policy now being a part of a bank holding 
company, that that information can be shared within that holding 
company. Even worse, that information can be shared outside of 
that holding company by contracting in a marketing agreement 
with a third party. 

And so when it comes to the issue of privacy on today’s discus- 
sion on the Internet, I approach this with the view that there are 
certain things that are inviolate to keep us from moving to the age 
of Big Brother, that clearly we ought to have, and in my judgment 
it would be for personally identifiable medical information. 

As the Senator from Oregon had just pointed out with Eli Lilly, 
in this particular case they are saying it is a mistake, but let me 
tell you what the mistake was. It was 600 people on Prozac, now 
information totally available to the world, on very personally iden- 
tifiable medical information. So when it comes to the question of 
whether or not you should share this privacy, I think it ought to 
be with the express written consent on medical information. 

On personally identifiable financial information, in the merger of 
banks and insurance companies, I think using the term of art here, 
opt-in, which is express consent, that clearly it ought to be. And so 
I come to this discussion intrigued that there really ought to be a 
basis of common sense that would govern us here. 

For example, when we get on in the Internet to interactive tele- 
vision, what is going to b^e the privacy on that? Shouldn’t we be 
having the right of privacy on an interactive television conversation 
over the Internet? 

So, Mr. Chairman, I will defer from asking any questions and 
look forward to learning a lot, but that is clearly the background 
that I bring to the table. And I am absolutely fascinated in this. 
I filed the legislation to correct what I consider the promises that 
were made in 1999 in the enactment of the Financial Services Mod- 
ernization Act, otherwise Gramm-Leach-Bliley, of which that huge 
gaping hole on not protecting privacy has not been filled when, in 
fact, it was promised. And I look forward to working with you, Mr. 
Chairman, on this. 

The Chairman. You are one of the best witnesses we have had. 

[Laughter.] 

The Chairman. I will include in the record Monday’s editorial in 
USA Today that verifies just exactly your idea about Gramm-Bli- 
ley. Confusing Privacy Notices Leave Consumers Exposed. We will 
include that in the record. 

[The information referred to follows:] 

[From USA Today. July 9, 2001] 

Confusing Privacy Notices Leave Consumers Exposed 
(Our view: Millions of records open up as people fail to ‘opt out.’) 

FINANCIAL PRIVACY 

Imagine spreading out all of your most personal financial data on the kitchen 
table, then having hordes of strangers storm in to browse, copy, share it with busi- 
ness partners and sell it to telemarketers. You could keep your privacy only by fol- 
lowing detailed, legalistic instructions each time a new snooper tries to barge 
through the door. 



51 


Millions of bank customers and credit card holders are in this situation this week, 
only the instructions are so confusing, many unwittingly threw them away. 

Welcome to the system Congress set up in 1999 to protect financial privacy. 
Banks, credit card companies and others who know how you spend your money can 
share and sell that information unless you explicitly “opt out.” 

Because fewer opt-outs mean more profit, the results are no surprise. When a 
July 1 deadline rolled around for giving customers their choice, the financial institu- 
tions made the notices as confusing as possible. 

Just look at some of the notices consumers have received: 

• One sent by American Express is written at the graduate-school level, according 
to a report for consumer advocates by readability expert Mark Hochhauser. Little 
help to the 92% of adults with less education. 

• Wells Fargo Bank sent out a notice that is 10 pages long, with no phone num- 
ber to call to opt out. Consumers must fill out a form, detach it and mail it at their 
own expense. A Wells Fargo spokesman says it didn’t want to “overload” its phone 
system. 

• The notice from Chevron Credit Bank offers a toll-free number, but it’s open 
only weekdays 7:30 a.m.-4:30 p.m. FT. But to apply for a credit card? That num- 
ber’s available until 11 p.m. weekdays and until 5:30 p.m. Saturdays. 

Little wonder, then, that despite widespread public concern about financial pri- 
vacy, fewer than 1% of consumers had exercised their right to opt out by mid-June, 
the American Bankers Association (ABA) estimates. An ABA survey in May found 
41% could not even recall receiving a notice. 

The hankers trade group offers transparent excuses, saying institutions merely 
followed model notices put together by regulators. But nothing in the regulations 
prevents a bank from adding plain English on top of the legalistic jargon. Something 
like: “If you don’t want us to share your personal data with telemarketers, here’s 
what you can do.” 

Congress caved in to the opt-out system pushed by the financial-services industry, 
which showered politicians and their parties with nearly $200 million in the decade 
before the bill was passed. 

Had Congress listened to consumer groups and privacy advocates instead of its 
campaign contributors, it would have instead created a far more protective “opt in” 
rule. That would have required banks to get customers to say yes before any infor- 
mation could be shared. 

You can bet that if bankers had to go begging for consumer permission to sell this 
private data, the notices would be plenty clear and quite memorable. 

It’s not too late to tell banks they can’t dispense your financial history at will. 
Customers can say no at any time. 

But if lawmakers want to protect consumer privacy in the future, they need to 
make would-be snoopers ring the doorbell first. 

The Chairman. Senator Edwards. 

STATEMENT OF HON. JOHN EDWARDS, 

U.S. SENATOR FROM NORTH CAROLINA 

Senator Edwards. Thank you, Mr. Chairman. Am I allowed to 
ask Senator Nelson questions? 

[Laughter.] 

Senator Edwards. Well, first of all, I want to thank the Chair- 
man for his leadership in this area. He has been a real force for 
protecting people’s individual privacy, and we appreciate all the 
work the Chairman has done in this area. 

I start with a very simple idea, which is that people ought to 
have control over their own personal private information, and mar- 
ried with that a practical idea which is when I think, for example, 
in the context of financial services — and I was involved in that leg- 
islation — when you mail somebody something, whether you have an 
opt-in or opt-out policy, as a practical matter, 90-plus percent of 
people pay little or no attention to it. And so I think you essentially 
decide the result when you choose either opt-in or opt-out, if they 
are the exclusive remedy. 



52 


What I would like to talk about is what I think I heard Mr. 
Schwartz mention a few minutes ago, which is maybe a more cre- 
ative solution to this dilemma, something that would allow us to 
put together some of the technology innovations that have been 
done by people like Microsoft with P3P and legislation, because it 
seems to me there ought to be some way to marry these concepts, 
opt-in, opt-out, and the use of technology, in a way that is effective, 
that allows people to really maintain control over their information, 
but at the same time, doesn’t hinder the use of the Internet. 

Now, I don’t know what that solution is, but if we get away from 
just the academic conceptual idea of the only choice, the Hobson’s 
choice in this case, is between opt-in or opt-out and ignores the use 
of technology, it seems to me that those things ought to work to- 
gether in combination in some fashion, and I would just like to 
hear a comment from each of you on that subject. 

Mr. Rotenberg. Well, Senator, we have been thinking about 
that issue for a long time, and we have been doing so in part be- 
cause we think that to effectively protect privacy, legislation will 
not be enough. I mean, I am happy to be here today and explain 
the need for legislation, but I think we also need very good tech- 
nology. Our organization EPIC was at the forefront of the battle to 
reform encryption policy, because we saw the need to make strong 
tools for online privacy available, and we continue to promote the 
availability of good technology for privacy. 

But I have to say this. Senator, and I know again I am probably 
going to be in the minority side of a two-to-one opinion. I do not 
believe that P3P as currently conceived is going to promote online 
privacy, because it lacks the essential elements of privacy protec- 
tion, of setting the bar high enough to limit the collection and use 
of personal information to afford any real safeguards. 

Senator Edwards. Can I interrupt you just a minute? 

Mr. Rotenberg. Yes. 

Senator Edwards. I understand that, and I understand there are 
concerns with that particular technology. But my question is more 
conceptual. Is there not a way to 

Mr. Rotenberg. Yes. 

Senator Edwards [continuing]. Use technology in combination 
with legislation? 

Mr. Rotenberg. The key, I believe, to privacy solutions using 
technology is to minimize the collection of personally identifiable 
information. You see, it is the collection of the data about you, your 
address, the members of your family, your financial circumstances, 
all of this that gives rise to the privacy problem. 

I mean, if we were talking about the environment, we would ba- 
sically be talking about a form of pollution. It is sort of the byprod- 
uct of production. If we can find a way to limit the generation of 
that personal information and still enable online commerce and 
still enable people to receive and exchange information, I think we 
will go a very long way by technical means to protecting privacy 
online. 

It is the reason, for example, that people who study Internet pri- 
vacy feel so passionately about anonymity. Now, to a lot of us, you 
may think. Well, I am little bit concerned about people who want 
to be anonymous. But if you think about it for a moment, most 



53 


transactions, cash-based transactions, most activities, walking 
down a street, reading a book, going into a movie theater, these are 
all essentially anonymous transactions. 

And so we see the bedrock for online privacy in the technological 
realm as trying to preserve anonymity, and from that, a lot of 
things, I believe, will be possible, and I think it coexists very nice- 
ly, in fact, with legislation, because legislation says, “And at the 
point that you start to collect personally identifiable information, 
then we are going to impose some legal burdens on you, but if you 
can do what you want to do without collecting data 

Senator Edwards. But shouldn’t people have the personal privi- 
lege or right to decide they don’t mind if their personal information 
is being collected? 

Mr. Rotenberg. Absolutely. I mean, we do not argue against the 
right that everyone has to disclose information, to go on a tele- 
vision talk show, to do whatever they wish to publicize their pri- 
vate life. That is a choice that every person always has. The ques- 
tion is: Do they have the right, even in the most public of careers, 
to then spend time with their family, to then pick up a telephone, 
to then have a private conversation with a colleague, and not have 
that information disclosed to others? 

And for that to happen in the online environment, I think we are 
going to need very strong techniques. 

Senator Edwards. Thank you, Mr. Rotenberg. Mr. Cate and Mr. 
Schwartz, I want an answer, but please make it very brief, because 
I have got one other subject I want to cover very clearly. 

Mr. Cate. Yes, Senator, I agree. I think you put your finger right 
on the point, which is that the goal of privacy law should be to em- 
power consumers, to put as many tools as possible into our hands, 
and technology is clearly one of those critical tools. 

Senator Edwards. Mr. Schwartz. 

Mr. Schwartz. I think that good legislation can stimulate their 
use of the right kind of technology. I think as a model for that, the 
Child’s Online Privacy Protection Act allows industry to draft safe 
harbor standards as to how to get parents’ consent at the least cost 
to parents. Those safe harbor standards are scrutinized by the 
ETC, and the ETC has to approve them. This legislation didn’t try 
to micro-manage the way industry could go about getting parental 
consent, but let industry figure out how to do it at the cheapest 
cost using technology. 

Senator Edwards. Thank you. I want to continue to work with 
you on this issue, because I think there is a way to do this. Second, 
I want to change the subject briefly and talk about something 
called location privacy, which is — this whole privacy issue fas- 
cinates me, but location privacy has been something I have been 
thinking about a lot recently. 

You know, everyone in this room who has a cell phone, a pager, 
a Palm Pilot, somebody, some company somewhere knows where 
they are, and people who use these OnStar directional systems in 
their cars, which are becoming more and more prevalent, also peo- 
ple are going to know where they are in their automobiles. 

And it seems to me that that — and I think there is some recogni- 
tion of this — that is information that is private, and people may 
want to maintain some control about. I am introducing legislation 



54 


today, in fact, on this subject, to provide people control over that 
information and specifically to require their permission in order for 
whatever company has that information to give it to — sell it or use 
it, give it to third parties. 

But I am interested in each of your perspectives on that issue, 
whether you think it is important to protect people’s personal infor- 
mation about where they are located, particularly when they don’t 
want that information disclosed, but the only reason somebody else 
has it is because they are using a cell phone or they are using a 
pager, or they are using one of these new systems. 

I might add that we have been working with the people involved 
in all of those industries, and I think they are concerned about the 
same thing. I think they care about their customers’ privacy, so 
they have been working very closely with us on this, but I am in- 
terested in your comments about that, starting with you, Mr. 
Rotenberg. 

Mr. Rotenberg. Senator, I think this is one area where estab- 
lishing privacy protection at the front end could help establish con- 
sumer confidence in the offering of these new services and give peo- 
ple the assurance that when they take advantage of some of these 
new services, their privacy will be protected. I really wonder at this 
point, with the recent experience of the Internet, if the cellular in- 
dustry wants to go through the whole self-regulatory exercise again 
with everything that came about from that. 

Senator Edwards. If I could interrupt you just a minute, one of 
our goals in this is to try to deal with this on the front end, so that 
is one of the things we hope to accomplish. 

Mr. Rotenberg. Right. I mean, some of the practical problems 
that have been identified, for example, is how do you provide a pri- 
vacy notice on a cell phone screen? It is just — it is not going to 
work. I think my colleague, Mr. Cate, even acknowledged recently 
that this seemed to be an area where legislation was appropriate. 
And I think here again, good privacy legislation will be good for 
consumers; it will protect their data. It will be good for business, 
because they will be able to provide some assurance to their cus- 
tomers that their information won’t be misused. 

Senator Edwards. Mr. Cate and Mr. Schwartz, my time is up. 
Just give me a couple sentences each, please. 

Mr. Cate. I agree. I think it is a critical issue. I think in reality 
it is going to be a tremendously vexing issue, because it shows the 
difficulty of this sort of dialog of notice and choice and all of this, 
because there is, as Mr. Rotenberg says, “really very little room in 
that for a screen”. 

And finally it highlights the fact that, I think, frankly what most 
people in the cases we have seen so far are worried about is Gov- 
ernment coming and subpoenaing those records, and no amount of 
privacy policy is going to deal with that, because you can’t insert 
a contract to protect you from a Eederal action. 

Senator Edwards. Mr. Schwartz. 

Mr. Schwartz. I just want to comment on one thing which is a 
knowledge gap in this area. It is not only that we have to worry 
about cookies and web bugs, but here we have another area in 
which there is likely to be an information asymmetry between the 
people who collect the information and the consumers. I think leg- 



55 


islation could help that, because you are not going to have a nego- 
tiation when there is that gap in knowledge. 

Senator Edwards. I thank the witnesses very much, and I thank 
the Chairman for his indulgence. 

The Chairman. Thank you. 

Senator Kerry. 

STATEMENT OF HON. JOHN F. KERRY, 

U.S. SENATOR FROM MASSACHUSETTS 

Senator Kerry. Thank you, Mr. Chairman. 

Let me begin, if I may, by just saying to my colleagues that I am 
circulating a letter and ultimately will be putting in a resolution 
on P3P, urging all of us in the Senate to make our web sites P3P 
compliant, and ultimately that we should be urging all government 
entities to do so. The chicken and egg issue that was raised earlier 
is a real issue. You won’t have the software developed and avail- 
able unless people are making machine-readable capacity at their 
sites and vice versa, so it goes together, and I think we need to set 
the example and try to move on that. 

Second, with respect to the issue raised by Senator Boxer and 
Senator Edwards, I have talked to Senator Rollings, our Chairman, 
about this. Senator McCain and I will be reintroducing our legisla- 
tion, but with some added detail this time. I think the mistake we 
made before and I think the mistake we are all making here in this 
discussion is that this is being made somewhat more complicated 
than it needs to be, and that is because we are confusing medical 
and financial requirements and demands with privacy with a pure 
commercial transactional demand, and there are distinctions. 

There are distinctions, obviously, in the Supreme Court in terms 
of commercial speech, and there are distinctions in the weights 
that we have heard discussed here about what sort of public inter- 
est is measured against the restraint that we put in place to sup- 
port that interest. And in the balance — and I have talked to the 
Chairman about this privately — I believe there is a mix and match 
here, that there is a much easier way to have opt-in, where opt- 
in is appropriate, almost obviously, as a matter of common sense, 
on medical information and financial information, but that pre- 
cisely because of the delicate nature of the commercial transaction 
and the status of the Internet and all of the interest we have in 
its future development and the potential for sales, et cetera, and 
the need to still fulfill the full measure the experiment here about 
whether or not you can survive on advertising or not or how it is 
going to work, there is a marketing component where there is just 
no harm, where you can’t measure harm, and we shouldn’t be get- 
ting so excited about it. 

The mistake, I think, that Senator McCain and I made was we 
were silent on the issue of medical and financial, because they were 
being sort of dealt with out there in the other universe, and I don’t 
think you can be. I think it is too easy for people to say, “Well, wait 
a minute; how are you going to deal with this particular compo- 
nent”. It is absolutely clear, Mr. Chairman, that financial informa- 
tion deserves the most privacy you can give it, and there ought to 
be sufficient protection. Likewise, medical, absolutely. What we 
have heard described here is unacceptable by any standard. 



56 


But — and, again, here is where we are all missing something — 
the debate is really not so much centered on opt-in versus opt-out 
if you have adequately adhered to the five principles that have 
been set out by the FTC and by most observers with respect to no- 
tice, adequate notice; adequate choice; adequate access; adequate 
security; and adequate enforcement. If you have each of those suffi- 
ciently, then opt-in/opt-out becomes a much more diminished sort 
of argument. And I see you are nodding your head. Professor 
Schwartz, and I think you would agree that there is sort of a confu- 
sion here. 

Now, if — let me ask you each sort of a fundamental question 
here. Are we concerned — should this Committee be concerned with 
a generic American citizen right to privacy, or are we concerned 
with some specialized thing called privacy on the Internet? 

Professor Schwartz. 

Mr. Schwartz. There are two trends here that are colliding. One 
is the trend of convergence. The Internet is now being incorporated 
into more aspects of our life, so we may be accessing it through a 
telephone or a television. It becomes increasingly difficult then to 
view the Internet as an abstraction. The difficulty, however — and 
I don’t have a solution to this — is that the American tradition of 
privacy legislation has been sectoral in focus. So to that extent it 
is quite appropriate to be looking at privacy legislation for the 
Internet. That has traditionally been the way that we have done 
it, but there is this tension 

Senator Kerry. Well, I don’t disagree. I don’t disagree at all, but 
I think each of you — Mr. Rotenberg, you and I have discussed this 
in previous hearings. We have kind of been over this ground before, 
and I think we are talking past each other a little bit. If privacy 
is the concern of Americans — and Senator raised this earlier a little 
bit — you have a right to privacy in Stop-and-Shop or Safeway or 
any store, just as you do on the Internet. 

If the information when you walk into a department store is used 
to market to you, do you deserve the same protection for that as 
you do for the marketing, for the browsing that you do within the 
Internet, if the only harm is the potential that you are going to re- 
ceive a solicitation? So is the protection the same? 

Mr. Schwartz. I think the concern for privacy, yes, is the same, 
and the focus of legislation, to the extent that you want to have 
legislation, should be at the moment of collection to the extent you 
see that there is harm. 

Senator Kerry. But you see — and I think each of you would 
agree with this — if we — we wind up picking winners and losers. If 
we are only focused on the Internet transaction, we create a re- 
quirement that applies to a sale in one place but doesn’t apply to 
a sale in another place. Where is the equity in that, Mr. Rotenberg? 

Mr. Rotenberg. Well, Senator, I understand your point, and I 
don’t think it is appropriate to impose different rules, but at the 
same time 

Senator Kerry. But we are being asked to. 

Mr. Rotenberg. Not exactly, sir. You see, the Internet by its na- 
ture, because it is an interactive digital environment, creates pri- 
vacy risks that simply do not exist in the physical world. If you go 
into a supermarket, the only cookies you are going to find are on 



57 


aisle 7, and they are going to have a blue bag around them. But 
if you go onto the Internet, every web site that you go to potentially 
is going to try to place a tracking technique on your computer. 
There is 

Senator Kerry. I agree with that. I completely agree with that, 
but that then depends — you see, but the question is still the same. 
Does the same right of privacy attach to the potential of a solicita- 
tion that comes out of the tracking of your purchases over a period 
of time at a store versus the tracking that takes place of your 
browsing or journeys on the Internet? That’s question No. 1. 

And No. 2: If we were to adequately do the mix and match that 
we have talked about, so that you have the adequate notice, the 
adequate security, the adequate enforcement, the adequate choice, 
and you are opting into that or opting out, as the choice may be 
according to what the potential harm is, you can provide the pro- 
tection for the financial, provide the protection for the medical, pro- 
hibit the cookies, maybe even make an opt-in where cookies are in- 
volved, make an opt-in where you have the lack — where you have 
any other kind of tracking for your journeys as a whole, but not 
interfere necessarily with the more mundane, normal, trans- 
actional, routine effort that people are more concerned about. 

And that is where, I think, you find the most concern in terms 
of whether or not it is a choice of opt-in/opt-out ultimately. It seems 
to me you can provide the adequate protection and provide for a 
range of technological fixes simultaneously. Would you like to com- 
ment? 

Mr. Cate. Yes, Senator, I would. I think that is exactly correct. 
In other words, when you said earlier focus on the harm, where is 
the harm, that that is exactly the point. If Congress were to deal 
with the issues where there is a real threat of harm or sensitive 
financial or sensitive medical information, as you have already 
dealt with the situation of children, much of this issue would pre- 
sumably go away. 

The problem has been that many of these laws being interpreted 
much more broadly, so, for example, Gramm-Leach-Bliley, which I 
think everybody would support some level of privacy protection for 
financial information, but in the hands of Federal regulators, finan- 
cial information got defined to include your ZIP code; it got defined 
to include your address; it got defined to include things that most 
of us don’t mean when we mean financial information. 

We already see from HHS the same movement in health informa- 
tion, where in order to have health information de-identified, it has 
to be de-identified, for example, to the year of treatment. Well, I 
just don’t think the month I was treated is highly sensitive medical 
information, as I was trying to intimate earlier in the dialog with 
Senator Rockefeller, so it depends on how you define these. 

But if you define them so you deal with information that poses 
real risks, that is precisely where a legislative solution is des- 
perately needed. 

Senator Kerry. All right. Fair enough. 

Well, I think, Mr. Chairman, that is precisely what our bill will 
set out to do this time, and I certainly want to work with you to 
see if we couldn’t make that mix and match adequately, but what 
we are going to do is not be silent this time. I think we are going 



58 


to be more specific, more comprehensive in that regard, and it 
seems that if you have adequate notice, choice, access, security and 
enforcement, and then measure the act of sort of opening up your 
site and deciding where you want to go, that is a form of opt-in in 
and of itself. 

I mean, the minute you turn on your computer and sit down at 
it, you are opting in, and the key here is to know where you are 
going in terms of the cookies and the other intrusions that people 
are not necessarily aware of today. 

Thank you, Mr. Chairman. 

The Chairman. I won’t be silent either. 

Senator Cleland. 

STATEMENT OF HON. MAX CLELAND, 

U.S. SENATOR FROM GEORGIA 

Senator Cleland. Thank you very much, Mr. Chairman. I opted 
in to coming to the hearing, but after seeing the complexity, I am 
about to opt out. 

I am — I guess my mind seeks to make some sense of all this by 
trying to search for the fundamental issue here. We talked in terms 
of privacy, and of course, the American people want private trans- 
actions, whether it is on the telephone, whether it is watching tele- 
vision, whether it is on the Internet, or whether it is shopping. I 
wonder if the ultimate issue is not so much privacy or even secure 
telecommunications or even interactive communications, but in 
terms of what we are after here, a comfort level by the consumer 
without which the commerce does not move forward. 

I mean, after seeing the printout of what Jay Rockefeller catches 
on his Internet, I am kind of glad I don’t have a computer at home. 
I don’t have a television, so I am being more disconnected, not so 
much for fear of invasion of privacy but hearing what I hear about 
how people can track me if I had a computer and access to Inter- 
net, that gives me pause as a citizen, and our citizens out there 
have great concern about this. 

I wonder if the ultimate question is about who chooses what, not 
so much what they choose, opt-in, opt-out, but who chooses. Who 
is empowered here and who is disempowered? I mean, it seems like 
the whole great blessing of the Internet can also be a curse. We can 
sow to the wind, and we can reap the whirlwind. We have sown 
to the wind, and it is a blessing in the sense that we are more con- 
nected. We know more about each other than we ever thought we 
would ever know, and a lot of that is good; a lot of that is healthy. 

But I think people basically want the power themselves to deter- 
mine when anybody knows anything about them. It is one thing to 
turn on a TV, a one-way interaction here, and watch it while sit- 
ting in the privacy of my home. It is another thing to turn on a 
television in the privacy of my home and realize everybody is 
watching me. That is a whole new dimension here, and as we get 
into interactive television and other forms of interactive commu- 
nication, where I am, what I am watching, what I am doing and 
how I am communicating will be more and more broadly known. 

So I think therein is the challenge here: how to continue to lower 
the barriers that have been there for communications, how to open 
up communications, whether it is e-commerce or personal commu- 



59 


nications, but then how to retain the power of the individual to be 
empowered to determine when other people see me, see what I am 
doing, and have access to me and my information. 

I mean, it seems to me that that might be the crux of the matter. 
I get lost in the opt-in/opt-out, alQiough I identify with Mr. 
Rotenberg here that maybe we talk about a blend here. But how 
knows where to draw the line, and is it really possible to draw that 
line in legislation? I mean, I don’t think I am quite smart enough 
to. I mean, I do see where the European Union has tried to do it 
and where some 70 companies have signed up with the EU privacy 
safe harbor concept, including Microsoft. 

The safe harbor requires notice, opt-in for sensitive personal in- 
formation, opt-out for commercial marketing personal information, 
and a right of reasonable access and security. Safe harbor also pro- 
hibits the onward transfer of personal information to third parties 
unless those parties also adhere to the safe harbor concept. So, I 
mean, that is the European Union. They have moved on it, and 
some 70 companies have signed up. That is one way to go about 
it, to increase the sense of security about what people are commu- 
nicating about. 

But I wonder if the real answer isn’t this whole question of who 
determines whether or not I am looked at, whether or not I am 
tracked. Mr. Rotenberg, do you want to comment? 

Mr. Rotenberg. Well, Senator, I was going to say that I actually 
thought your point really goes to the heart of the issue, perhaps 
more so than the debate over opt-in and opt-out and preemption or 
private right of action, all those other specific provisions. What pri- 
vacy laws seek to do is to give people the ability to control the use 
of their personal information, to enable people to do business with 
their banks and to give sensitive information to doctors and a 
whole host of other things. 

But at their core, the intent is to address the concern that you 
identified: How do we control this information about us? And I 
think the reason that we need to stay focused on that issue as op- 
posed to some of these other line-drawing issues is that first of all, 
those line-drawing issues are very difficult, and second, they can be 
misleading. It is tempting to say, for example, that medical infor- 
mation, financial information, is particularly sensitive, so that we 
will give a high standard to, and we will do something else with 
the rest of the information. 

But what do you do when you find out, for example, that rental 
car companies now have the ability to track you when you are driv- 
ing your car, and they know, for example, when you drive too fast? 
Millions of Americans learned this past week that that was taking 
place, and they were very upset about it. It didn’t fall neatly into 
the bin marked. Medical information, or the bin marked, Einancial 
information, but it was, I think, very much a part of what you were 
describing. It is the ability to control information about oneself. 

Senator Cleland. If they ever find out what we are doing on a 
Saturday night date in the car, then we will all be in trouble. 

Mr. Cate. 

Mr. Cate. Senator, I think you are exactly right. The question 
is, you know, who makes the decision and on how much knowl- 
edge — you know, what knowledge or information do they have 



60 


when they make it? I think when you think in the context of the 
Internet, we have talked a lot about the ability of the Internet to 
be a privacy compromising technology. It is also a privacy-pro- 
tecting technology. It offers the ability to appear to the world with- 
out appearing physically, the ability to block a fair amount of infor- 
mation about oneself 

The list that has been circulated of Mr. Rockefeller’s browsing 
habits, which I have not seen but would love to. Senator is taken 
from his computer, the computer obtained in his office, just like if 
a checkbook were in the office or if a credit card statement were 
in the office. And interestingly, the technology is there to block the 
recording of cookies, to clear out the cache so that there is no 
record of where the computer has been; in other words, to put the 
individual entirely in the driver’s seat. 

But even the failure to exercise that means only that if somebody 
breaks in your office or is authorized to come in and look for that 
information, they find it. And there is a question of how much far- 
ther should law go to protect us. 

Senator Cleland. Mr. Schwartz. 

Mr. Schwartz. I think the point about trying to empower and 
shifting power to consumers is a critical one in this debate, and I 
also agree with you regarding this issue about the comfort level for 
consumers, which we have discussed today, and about how good 
privacy legislation will hopefully stimulate e-commerce and in- 
crease this comfort level. 

Senator Cleland. Thank you all very much. My time is up, Mr. 
Chairman. Thank you. 

The Chairman. Very good. 

Senator Ensign. 

STATEMENT OF HON. JOHN ENSIGN, 

U.S. SENATOR FROM NEVADA 

Senator Ensign. Thank you, Mr. Chairman. It is great to be back 
on the Committee, by the way. We 

The Chairman. Glad to have you back, too. 

Senator Ensign. This whole issue of privacy — and I think, first 
of all, some of it has been generated by the movies that we grew 
up watching and some of the books that we grew up reading, but, 
we live in the world today where some of those things are becoming 
reality. 

I also think that some of this being generated by the Internet be- 
cause people don’t understand technology; they don’t — they are 
afraid of it. A lot of this, it seems to me, is being put on the Inter- 
net which came out of telemarketing and mass mailing. I mean, 
that is where, people are sick of getting things in the mail, and — 
I know I am. 

I will give you a great example, and I will compliment a com- 
pany. I doubt if anybody from the Bose Company is here today, but 
I just bought one of those new Bose wave radios, and I was very 
impressed by the company, because at the register, they asked me 
if I wanted to sign up for the warranty information. I never fill 
those things out — I don’t think anybody does hardly anymore — ^be- 
cause they know that you are just getting put on some mailing list. 



61 


Well, right there, they gave an opt-out provision, and they said, 
“Do you want to be on our mailing list”. And, of course, I said, “no”. 

But it is that type, I think, of thing that people are so sick of, 
that now this is being put on the Internet, that they think it is 
going to be much worse, and I think that — and what I would like 
your comment on, and I would like to start with you, Mr. Cate, is 
the idea that, first of all, people don’t understand what they are 
trying to protect themselves from. Do they really understand — I 
mean, we all want — none of us want our personal identify to be sto- 
len and somebody go get our credit cards, you know, and get a driv- 
er’s license and go and ruin us. I mean, those are the horror stories 
that we hear about. 

But at the same time — and I will use this example. I am from 
Nevada. You come and you stay in a hotel. You register in that 
hotel. You give them all of your information, including credit card 
information. That hotel now will periodically contact you and say, 
“We are having a special, a discount during a certain period of 
time”. Well, you have signed up. You didn’t necessarily opt in to 
get that information, but at the same time, you kind of like it. 
Some people might; some people might not. 

And, you know, and the marketplaces determines whether or not 
companies are going to go more toward the opt-out or opt-in provi- 
sion right up front. Because more and more people are demanding 
that. 

But I guess what I would like your comment on is: How careful 
do we have to be that we don’t ruin some of this interaction be- 
tween a company that you have voluntarily given your information 
to and still protecting the privacy and getting the public to under- 
stand what privacy truly is? 

Mr. Cate. Thank you. Senator. You have raised a number of 
issues. I think there is no question about what much of sort of the 
angst we see about the Internet that is called privacy might be 
somewhat more undifferentiated, and if you would do follow-up 
questions and surveys, you find that on the Internet, security 
seems to really be the major issue. I am not suggesting it is not 
related to privacy, but we should recognize that it is a very dif- 
ferent issue. 

What people are worried about, as I think Senator Boxer read 
out, is if I provide my credit card, will it be safe getting to you? 
And no amount of opt-in or opt-out or anything is going to do one 
thing about that, so if we want to respond to that concern, that 
should be identified more clearly. 

It is also interesting that, of course, we, even people who spend 
a lot of time on the Internet or think we understand some little 
something about it, nevertheless find ourselves behaving some- 
what, you know, irrationally. You know, will I provide my US Air — 
my Visa card to US Air when I buy a ticket online? You know, I 
worry, is it safe, but I provide it over the phone, or I provide it at 
a restaurant where the guy disappears with it for 20 minutes. I 
don’t have any idea where it is, and I feel great. And, you know, 
it just shows that I am behaving like an idiot. I mean, that doesn’t 
necessarily suggest that there should be legislation requiring that 
I be made to feel better. 



62 


On the question of sort of the interaction with companies, I think 
this does reflect the fact that although we all complain about junk 
mail, everybody does — it doesn’t matter what side of this issue you 
are on; I have never anyone who didn’t. On the other hand, it is 
interesting. If you talk to people in companies, the customer service 
center reports that the most frequent complaint letter they get re- 
lated to direct mail is not, why did you send it, but why didn’t you 
send it. My neighbor got a coupon; why didn’t I. Why am I no 
longer getting the catalog in the mail? Why am I no longer getting 
these offers? 

And the thing that we really don’t like is anybody else getting 
something we didn’t get. And so, you know, we have to worry about 
whether there really is much harm 

Senator Ensign. Not to interrupt you on that, but I haven’t ever 
had anybody complain that they didn’t get one of my mail pieces 
in a campaign. 

[Laughter.] 

Senator Ensign. Sorry. 

Mr. Cate. There are so many things I should say to that, but 
none that I would, so — ^you know, so I Qiink you are right and espe- 
cially on the Internet, where the only relationship that most con- 
sumers have with their companies that they do business with is in- 
formation. The only way my banker or airline company or whatever 
that I deal with online knows me is through information, so the 
only way they know what to offer me, what to show me, what 
meets my interest, is by collecting and using that information. To 
cut that off only hurts me. 

Senator Ensign. Just before the other — and I want both of you 
to follow up. Also maybe incorporate being somewhat familiar with 
health information — I mean, that seems to be one of our most pre- 
vious things that we want private, and we talk about balancing all 
of this. And yet if you are into the study of epidemiology, the 
spread of diseases, we know that what you don’t want is your med- 
ical information made public, because those are private things you 
wouldn’t want them to know. But — you also don’t want to have 
somebody perhaps discriminate against you on a job if they find 
something out, or just some people are just real private about those 
kinds of things. 

But at the same time, that information is very important for us 
when we are, you know, talking about especially communicable dis- 
eases or studying — for instance, in Nevada right now, there is this 
leukemia cluster going on with kids. Well, if you don’t know that 
there are 11 cases, if that information isn’t shared, we don’t know 
that there is a leukemia cluster going on. 

And so, just if you could, incorporate some of those thoughts into 
your response. 

Mr. Rotenberg. Senator, I need to say again that it is I don’t 
think generally the view of the privacy community to oppose online 
marketing. I think the question is, how can you do it in a way that 
is fair, you know, and acceptable to consumers. Frankly, if you do 
it in a way that is not fair and acceptable, then you get a lot of 
backlash, and we have seen that. 

Now, I said earlier that I think the right approach is opt-in cou- 
pled with opt-out, and in fact, in terms of the history of the Inter- 



63 


net, this is common sense to most people. If you want to get on a 
mailing list, if you want to receive information about a topic area, 
you subscribe to the list, and you get it for as long as you want, 
and if you are not happy about it or if you lose interest, you 
unsubscribe, and the relationship ends. 

What a lot of the marketing companies try to do, in effect, is they 
said, “Oh, we are not really concerned if you are interested in this; 
we think you are interested in this; we are going to put you on the 
list, and we are going to make it difficult for you to get off the list”. 
Now, I think in that kind of relationship, people understandably 
aren’t going to be very happy, so what I think a good privacy law 
does is establish those practices that allow businesses and con- 
sumers to say, “OK, we all agree to this; I want to get that infor- 
mation, and this is going to be made to work”. 

And I think, of course, in the medical privacy area, it is particu- 
larly important to do that, as Eli Lilly learned this past week with 
their inadvertent mailing. 

Mr. Schwartz. Let me begin by saying something about health 
information. You are absolutely right that having anonymous infor- 
mation and good statistical data sets is critical to the nation’s pub- 
lic health. This is something on which I have been privileged to 
work with Department of HHS. The Center for Disease Control and 
the National Center for Vital Health Statistics look at these issues 
very carefully to make sure that there are high-quality, statistical 
data sets for the nation’s scientists to work with. 

The second thing I would like to say is that I think what you are 
describing. Senator, is the development of a mass-market Internet. 
We have gotten there quickly. There are people who say that every 
year in Internet time is about 7 years off the Internet because ev- 
erything changes so quickly. We have moved very quickly from a 
first generation Internet in which there were only scientists on it 
to now I don’t know how many generations in which everybody is 
on it. I have to tell you personally this is something I have felt, be- 
cause my mother a number of years ago decided to get a computer 
at home, and for a while, I felt like I was on full-time tech support 
in addition to teaching law and going about my life. So now every- 
body is on the Internet, and it is not surprising that Congress is 
thinking about consumer protection legislation. 

And I think in the history of this country, as other devices such 
as the automobile, such as commercial aviation, move into the 
mass market. Congress has stepped in to try to stop some of the 
abuses. 

Senator Ensign. Thank you, Mr. Chairman. 

The Chairman. Very, very good. This has been an outstanding 
panel. The Committee is indebted to you, and we will leave it open 
for questions or any add-ons that you may have and your observa- 
tions. 

We have got to move now to panel number 2 as quickly as we 
can. We thank them for their patience. We have got Hans Peter 
Brondmo, author of “The Engaged Customer; ” Les Seagraves, the 
vice president of Earthlink; Paul Misener, of Amazon, he is the vice 
president of global public policy; Jason Catlett, the president and 
founder of Junkbusters; and Ira Rubinstein, the associate general 
counsel of Microsoft. 



64 


And I realize the hour is getting late, and we are going to have — 
you see the interest of the Senators here, and we are going to have 
to give everyone just as much time as you possibly need. We will 
include the statements in their entirety in the record, and we will 
ask you if you can please summarize them in 5 minutes, so that 
will take the next half-hour here with this important panel. 

Mr. Seagraves, are you ready? 

STATEMENT OF LES SEAGRAVES, VICE PRESIDENT 
AND CHIEF PRIVACY OFFICER, EARTHLINK INC. 

Mr. Seagraves. Mr. Chairman and members of the Committee, 
I am the chief privacy officer for Earthlink. I appreciate this oppor- 
tunity to speak to you about Earthlink, privacy, and legislation. 

Earthlink, based in Atlanta, is the nation’s second largest Inter- 
net service provider, connecting approximately 5 million customers 
to the Internet through dial-up, broad band, and wireless services. 
We have built our company and customer base over the last 7 
years by providing fast, reliable connections and superior customer 
service and technical support. 

Our focus on customer service has immersed us in the privacy 
debate. While we generate the majority of our revenue from month- 
ly subscription fees, there is always the temptation, not to mention 
a compelling business case, to sell our valuable customer informa- 
tion to third parties. But early in our company’s history, we de- 
cided to forego additional revenue we could make from selling our 
customers’ personal information in exchange for gaining our cus- 
tomers’ long-term trust by protecting their privacy. 

This decision continues to be a tough one. On one hand, 
Earthlink stands on the threshold of renewed profitability with 
pressure from shareholders and the investment community to 
squeeze out every extra dollar we can, and with the devaluation of 
Internet advertising, merchants are increasingly willing to pay for 
targeted personal information. 

On the other hand, we are an ISP with a strong focus on cus- 
tomer service. Our customers rely on us not only to give them fast, 
reliable Internet connections, but to help them enjoy the best pos- 
sible online experience. If our customers have technical problems, 
they can use our tech support. To reduce spam, they look to us to 
provide both service-side and client-side filters. And regarding their 
personal information, they look to us to protect their privacy. We 
have gladly accepted this role and continue to garner high levels 
of customer satisfaction and loyalty. 

As an ISP, we are not just running a web site. We have lots of 
detailed customer information that would be quite valuable to af- 
filiates or partners or other third-party marketers. Opt-in versus 
opt-out really isn’t an issue for us, because we don’t share cus- 
tomers’ personal information. Although our privacy policy may 
seem to be typical notice, choice, access, and security, the fact is 
Earthlink has chosen not to be in the business if selling, sharing, 
or renting customers’ personally identifying information, and this 
is a huge distinction between Earthlink and many other companies 
that collect information online. 

We believe that good privacy means good business. Trust equals 
revenue. Earthlink has highlighted privacy in its national adver- 



65 


tising campaign with great response. I think it is important to 
point out the forces that control Earthlink’s actions and decisions 
on privacy today. First, a strong stance on privacy is just good busi- 
ness. On the outside, we are guided by the FTC privacy guidelines 
and Section 5 of the FTC Act. On the inside, we do what we say 
we are going to do. This is one of the core values and beliefs devel- 
oped by former Earthlink chairman and MindSpring founder, 
Charles Brewer. If we make a huge privacy mistake, we would be 
severely penalized by the press, our customers, and the market. 

Under most of the pending and proposed Federal legislation in 
Congress today, Earthlink probably already complies without mak- 
ing any changes. We have a solid privacy policy. We notify cus- 
tomers of the information we collect, and although we say we give 
customers a choice of sharing their information, so far we have not 
asked to make that choice. Customers can access their information 
24 hours a day. Our network security involves some of the most ad- 
vanced practices in the industry. 

Federal legislation would have certain benefits. It could set a 
much needed Federal standard for privacy policies and practices. It 
could preempt state law, eliminating the need for Earthlink to 
navigate 50 different state privacy laws. It would also help to weed 
out those companies that abuse the privacy of consumers. 

Congress should exercise care not to create a regulatory mine 
field for good companies like Earthlink that do their best to comply. 
Legislative requirements should not prevent us from clearly and ef- 
fectively communicating with our customers about their privacy 
and choices. Legislation should not strain the ability of Govern- 
ment by enforcing broad laws that focus on technical compliance 
rather than on actual harm to consumers. 

Most of our customers want to take advantage of the convenience 
and the innovation that the Internet provides. They want to get the 
best prices for the merchandise and services. They don’t want to 
have to log in to every web site. They want an Internet that is cus- 
tomized to their tastes and preferences. They also want protection 
from fraud and misuse of their information. Our customers would 
benefit from the creation of a standard that clearly gives them the 
information they need to make intelligent decisions about their 
own privacy. 

By encouraging the same technical innovation that brought us 
the Internet, Congress can rely on the private sector as a partner 
in protecting privacy. If you must pass privacy legislation, focus on 
setting a standard, not creating regulatory barriers. Focus on get- 
ting customers meaningful information they really need to make 
decisions. Focus on helping good companies like Earthlink provide 
services that people really want and use and thereby drive the 
economy. 

Thank you again for the opportunity to testify. 

The Chairman. Thank you, sir. 

[The prepared statement of Mr. Seagraves follows:] 

Prepared Statement of Les Seagraves, Vice President and 
Chief Privacy Officer, EarthLink, Inc. 

Mr. Chairman and Members of the Committee: My name is Les Seagraves and 
I am the Chief Privacy Officer for EarthLink. I appreciate this opportunity to speak 
to you about EarthLink, privacy and legislation. 



66 


EarthLink, based in Atlanta, is the nation’s 2nd largest Internet Service Provider, 
connecting approximately 5 million customers to the internet through dial-up, 
broadband and wireless services. We have built our company and customer base 
over the last 7 years by providing fast, reliable connections and superior customer 
service and technical support. 

Our focus on customer service has immersed us in the privacy debate. While we 
generate the majority of our revenue from monthly subscription fees, there is always 
the temptation, not to mention a compelling business case, to sell our valuable cus- 
tomer information to third parties. But early in our company’s history we decided 
to forgo the additional revenue we could make from selling our customers’ personal 
information in exchange for gaining our customers’ long term trust by protecting 
their privacy. 

This decision continues to be a tough one. On one hand, EarthLink stands on the 
threshold of renewed profitability with pressure from shareholders and the invest- 
ment community to squeeze out every extra dollar we can. And with the devaluation 
of internet advertising, merchants are increasingly willing to pay for targeted per- 
sonal information. 

On the other hand, we are an ISP with a strong focus on customer service. Our 
customers rely on us not only to give them fast, reliable internet connections, but 
to help them enjoy the best possible online experience. If our customers have tech- 
nical problems, they can use our award-winning technical support. To reduce spam, 
they look to us to provide both server-side and client-side filters. And regarding 
their personal information, they look to us to protect their privacy. We have gladly 
accepted this role and continue to garner high levels of customer satisfaction and 
loyalty. 


WHY IS EARTHLINK DIFFERENT? 

As an ISP, we’re not just running a website. We have lots of detailed customer 
information that would be quite valuable to “affiliates” or “partners” or other third- 
party marketers. Opt-in versus opt-out really isn’t an issue for us because we don’t 
share customers’ personal information. Although our privacy policy may seem to be 
the typical notice, choice, access and security, the fact is that EarthLink is not in 
the business of selling, sharing or renting customers’ personally identifying informa- 
tion. This is a huge distinction between EarthLink and many other companies that 
collect online information. We believe that good privacy means good business. Or 
put another way, trust equals revenue. EarthLink has highlighted privacy in its na- 
tional advertising campaign with great response. 

While we believe that our current privacy policy meets industry best practices, we 
are currently working on a new privacy policy which should set an example for prop- 
er clarity and scope. We will, in clear plain language, explain how and what infor- 
mation we collect, what we do with it and what a customer can do to protect their 
information. We have developed the following privacy principles as an internal guide 
to our day to day business activity: 

1. We will let our customers know all of the personal information that we collect 
and what we do with it. 

2. We will not give, sell or share personally identifying information to anyone ex- 
cept to: 

• comply with valid law enforcement requests for information 

• deliver our service to our customers 

• honor agreements where customers come to us through third-party promotions. 

3. No one else will use the information that our customers give to us to contact 
our customers except on our behalf. 

4. Our customers will be able to choose what non-essential information they pro- 
vide to us. 

5. Our customers will be able to choose how we contact them. 

6. Our customers will have access to all of their personal information. 

7. We will take care to secure all customer information that we have. 

8. We will insure that all of our partners and contractors abide by and agree to 
these principles. 


WHY IS EARTHLINK DOING THIS? 

I think it is important to point out the forces that control EarthLink’s actions and 
decisions on privacy today. First, a strong stance on privacy is just good business. 
On the outside we are guided by the FTC privacy guidelines and Section 5 of the 
FTC Act. On the inside we do what we say we are going to do, this is one of the 
Core Values and Beliefs developed by former EarthLink Chairman and MindSpring 



67 


founder Charles Brewer. If we make a huge privacy mistake, we would be severely 
penalized by the press, our customers and the market. 

WHAT WOULD BE THE ADVANTAGES TO EARTHLINK IF FEDERAL LEGISLATION PASSED? 

Under most of the pending and proposed Federal legislation in Congress today, 
EarthLink probably already complies without making significant changes. We have 
a solid privacy policy. We notify customers what information we collect. Although 
we say we give customers a choice of sharing their information, so far we have not 
asked them to make the choice. Customers can access their information 24 hours 
a day through the internet or the telephone. Our network security involves some 
of the most advanced practices in the industry. 

WHAT WOULD BE THE ADVANTAGES TO EARTHLINK IF FEDERAL LEGISLATION PASSED? 

Federal legislation would have certain benefits. It could set a much needed Fed- 
eral standard for privacy policies and practices. It could preempt state law, elimi- 
nating the need for EarthLink to navigate 50 different state privacy laws. It would 
also help to weed out those companies that abuse the privacy of others. 

WHAT ARE EARTHLINK’S CONCERNS ABOUT LEGISLATION? 

Congress should exercise care not to create a regulatory minefield for good compa- 
nies like EarthLink that do their best to comply. Legislative requirements should 
not prevent us from clearly and effectively communicating with our customers about 
their privacy. Legislation should not strain the ability of government by enforcing 
broad laws that focus on technical compliance rather than the actual harm to con- 
sumers. 

In the media, much of the debate about privacy legislation seems to focus on opt- 
in versus opt-out provisions. While important, these provisions should be viewed in 
their proper context as part of the single information practice of notice. And we 
should all recognize that no standard is foolproof. Even with the stricter opt-in 
standard, if the boxes on the screen are already checked, is it still opt-in? With ei- 
ther an opt-in or an opt-out standard, the bottom line is to ensure customer notice 
and consent. 

We should further note that any proposed new privacy legislation would not be 
the first. Congress has a long history of enacting laws that address the use of per- 
sonal information, including the Gramm-Leach-Bliley Act, the Health Insurance 
Portability and Accountability Act (HIPAA), the Children’s Online Privacy Protec- 
tion Act (COPPA), the Electronic Communications Privacy Act (ECPA), and many 
others. 

However, Congress should also be aware of the unintended consequences that can 
result from even the best intentioned legislation. While few would argue with the 
goal of COPPA to prevent the collection of information from young minors, the cost 
of compliance proved to be too great for many legitimate, independent, local kid-ori- 
ented websites. In an online world where an increasing amount of web traffic is con- 
centrated in a relative handful of sites owned by large media and software compa- 
nies, privacy protection should not further reduce diversity on the World Wide Web. 

HOW WOULD LEGISLATION EFFECT EARTHLINK’S CUSTOMERS? 

Most of our customers want to take advantage of the convenience and innovation 
that the internet provides. They want to get the best prices for merchandise and 
services. They don’t want to have to log in to every web site. They want an internet 
that is customized to their tastes and preferences. They also want protection from 
fraud and misuse of their information. Our customers would benefit from the cre- 
ation of a standard that clearly gives them the information they need to make intel- 
ligent decisions about their own privacy. By encouraging the same technical innova- 
tion that brought us the internet, Congress can rely on the private sector as a part- 
ner in protecting privacy. 

conclusion: suggestions to lawmakers 

If you must pass privacy lepslation, focus on setting a standard not creating regu- 
latory barriers. Focus on getting customers meaningful information they really need 
to make decisions. Focus on helping good companies like EarthLink provide services 
that people really want and use and thereby drive the economy. 

Thank you again for the opportunity to testify. 



68 


EAHTHLINK CORE VALUES AND BELIEFS 

What’s important at EarthLink? We are convinced that the key to creating a truly 
great organization is an intense focus on the values that guide its people’s actions. 
These are EarthLink’s “Core Values and Beliefs”. If we don’t seem to be living up 
to them, call us on it! 

• We respect the individual, and believe that individuals who are treated with re- 
spect and given responsibility respond by giving their best. 

• We require complete honesty and integrity in everything we do. 

• We make commitments with care, and then live up to them. In all things, we 
do what we say we are going to do. 

• Work is an important part of life, and it should be fun. Being a good 
businessperson does not mean being stuffy and boring. 

• We love to compete, and we believe that competition brings out the best in us. 

• We are frugal. We guard and conserve the company’s resources with at least 
the same vigilance that we would use to guard and conserve our own personal re- 
sources. 

• We insist on giving our best effort in everything we undertake. Furthermore, 
we see a huge difference between “good mistakes” (best effort, bad result) and “bad 
mistakes” (sloppiness or lack of effort). 

• Clarity in understanding our mission, our goals, and what we expect from each 
other is critical to our success. 

• We are believers in the Golden Rule. In all our dealings we will strive to be 
friendly and courteous, as well as fair and compassionate. 

• We feel a sense of urgency on any matters related to our customers. We own 
problems and we are always responsive. We are customer-driven. 

The Chairman. Mr. Brondmo. 

STATEMENT OF HANS PETER BRONDMO, AUTHOR, “THE 
ENGAGED CUSTOMER” AND NETCENTIVES, INC. FELLOW 

Mr. Brondmo. Chairman Hollings, members of the Committee, I 
thank you for inviting me to participate in this very important 
hearing about Internet privacy. 

I am a technology entrepreneur. I am an author, and I am a con- 
sultant to industry on the usage of customer information and email 
to build customer relationships. The company I founded in 1996, 
NetCentives, today manages over 50 million relationships with cus- 
tomers. It manages customer information, opt-in and opt-out, on 
over 50 million people on behalf of some of the leading corporations 
in this country. 

At the center of the debate about Internet and privacy is a very 
simple question. Who owns information about an individual? Does 
a person have rights to and control of the information being gath- 
ered about him or her? Or should whoever collects the information 
be able to use and commercially exploit that information in any 
manner they see fit? 

My remarks this morning will revolve around this broader issue 
of information ownership, specifically how we think about collecting 
and using personally identifiable information consistent with our 
beliefs both in personal liberty and in free enterprise. I begin by 
suggesting that we consider personal information to be a capital 
asset, just like we do financial information. 

It goes without saying that no modern business survives today 
in a fiercely competitive marketplace if it keeps its financial assets 
in disarray, not knowing how much working capital is available, 
and not knowing who is managing the money. Yet that is exactly 
how most companies manage their customer information assets 
today. They don’t know what they have got; they don’t know who 



69 


has got what; and they don’t know what data bases contain what 
information. 

It turns out that a comparison between financial assets and in- 
formation assets provides a powerful model for thinking about in- 
formation ownership. To illustrate this, let’s consider the following 
familiar example from the banking world. 

Like many Americans, I have some savings, and I have a stock 
portfolio. I have chosen to hand over control of my financial assets 
to professional asset managers. I keep my money in a local bank, 
and I work with a stockbroker. When selecting my bank and stock- 
broker, I have two primary selection criteria: trust and returns. If 
I do not trust a bank, I will not give them my money, and if the 
competition, the bank next door, consistently out-performs and of- 
fers better returns, what will I do? I will withdraw my money, and 
I will deposit it with the bank next door, with the competition. 

As individuals, I believe that we are increasingly becoming 
aware that our personal information also has value, and just as we 
will choose to deposit our financial assets with asset managers 
based on trust and returns, we are learning to apply the same two 
criteria when we deposit our personal information with a business, 
and if that business breaches our trust or does not manage our in- 
formation in order to generate a return in the form of good service, 
convenience, what will we do? We will withdraw it, and we will de- 
posit it with a competitor who does. 

In short, the expectation is that we own and control our personal 
information. Yet while the individual may own the information 
about themselves, we must also realize that it is this information 
when used properly which enables businesses to build relationships 
with its current and prospective customers, and to realize signifi- 
cant financial gain from its ongoing interactions with those cus- 
tomers. 

Without access to personally identifiable information, companies 
cannot get to know their prospects and customers, and if they can- 
not know and enter into personal dialog with these very people 
they do business with, it is equivalent to not being able to greet 
a customer when she first walks into your store, or even worse, not 
being able to develop a relationship with that customer and recog- 
nize her for her loyalty when she returns to that store over and 
over again. 

Yet does the customer want the store to know her before she has 
even introduced herself? Does walking into a store for the first time 
constitute some implicit permission for the store to dip into a data 
base and look up who she is? Would she be comfortable if the gro- 
cery store knew how many children she has the very first time she 
entered? Would she be concerned if the grocer sold their knowledge 
about her low-fat diet to her insurance provider without explicit 
permission? 

The issue is one of personal choice about personal data, and 
these are exactly the questions we are debating when we are dis- 
cussing notice, choice, access, and security. 

In summary, the new thinking that must be adopted in order to 
realize the potential value and benefits inherent in the smart use 
of customer information is based on the following two principles: 
first, that the individual owns and controls his or her personal in- 



70 


formation and chooses to deposit that information with companies 
based on expectations of trust and returns; second, that businesses 
represent themselves as the custodians, not the owners, of personal 
information. They invest in and actively manage that information 
asset in order to generate returns for the customers and for their 
shareholders. 

To ensure broad adoption of these principles, I believe that gov- 
ernment regulation is necessary. While it is not the role of Govern- 
ment to dictate to companies what they may do with information 
nor what information they may collect, it is the responsibility, in 
my view, of the Federal Government as an extension of its constitu- 
tional duty to protect civil liberties, to ensure that the use of infor- 
mation is based on clear notice, consent, and always under the con- 
trol of the individuals to who it belongs. 

Mr. Chairman, members of the Committee, change is always dif- 
ficult. As we all know, it is difficult at the personal level, and it 
can be painful and sometimes expensive at the corporate level. 
When change came to the auto industry a few decades ago, it was 
resisted, not embraced. We all know the consequences. It is in my 
humble opinion time for all corporate America to change the way 
it uses and manages customer information. Leaders who embrace 
this change will stand to win big. Those who resist it will be left 
behind. 

I am encouraged by your leadership in this area, and thank you 
for the opportunity to address the Committee this morning. 

The Chairman. We thank you. 

[The prepared statement of Mr. Brondmo follows:] 

Prepared Statement of Hans Peter Brondmo, Author, 

“The Engaged Customer” and Netcentives, Inc. Fellow 

Chairman Hollings, Senator McCain and Members of the Committee thank you 
for inviting me to participate at this important hearing on Internet privacy. My 
name is Hans Peter Brondmo and I am a technology entrepreneur, author and con- 
sultant to industry on the usage of customer information and email to build cus- 
tomer relationships. I believe that these hearings are timely because we find our- 
selves at a fork in the road where one path can lead us to a win both for individual 
rights and for industry, while the other takes us down a treacherous path where 
all parties loose. Strong leadership and decisive action will ensure that we choose 
the correct path. 

At the center of the debate about Internet and privacy is a simple question: Who 
owns information about an individual? Does each person have rights to and control 
of the information being gathered about him or her or should whoever collects the 
information be able to use and commercially exploit it in any manner they see fit? 
While the question may be simple the answers are complex. 

My remarks today focus on the broader issue of information ownership in which 
I propose a framework for how we think about collecting and using personally iden- 
tifiable information, consistent with our belief both in personal liberty and in free 
enterprise. I will return to this framework momentarily. First let me take a brief 
look at where we find ourselves at this moment in time. 

It seems that historically the rules which govern what information a company can 
collect about its customers and prospects and what they can do with this informa- 
tion favors industry over individual rights. For example, there have been egregious 
instances in which many a credit worthy individual has been summarily denied a 
home mortgage, auto loan or educational financing on the basis of incorrect personal 
data that had been surreptitiously collected and never submitted to the person for 
verification. Erroneous data often has been through the hands of several firms with- 
out the individual’s knowledge, making correction impossible. Meanwhile, without 
effective recourse, a deserving individual’s personal life is severely damaged. 

The attitude that dominates the current business environment is that Federal pri- 
vacy legislation will hamper free enterprise and limit industry’s ability to grow and 



71 


innovate. I disagree with this attitude and believe that we need to move away from 
the mindset that any information a company captures about their customers is 
theirs to exploit and even sell in whatever manner they see fit. I would like to pro- 
pose that industry allows the free market to determine the value of their integrity. 
If customers trust the organizations they do business with and these businesses 
have integrity, customers will award them with access to their personal information. 
If not, it seems only reasonable that a customer must be allowed to inspect or with- 
draw that information. An obvious question is why now? If we have managed so far, 
why can we not continue on the same program? And the answer is obvious — The 
Internet. According to what we read, every device and tool we rely on to enhance 
our lives will soon be connected to the Internet: our automobiles, our homes, our 
cellular telephones, our television sets, our hand-held cameras, our Jacuzzi tub, our 
electronic credit card. And while the benefits are many including pervasive access 
to information and the ability to communicate regardless of location, there is a dark 
side. These devices will pass along information about who is using them, where they 
are located and perhaps even details about what a person is doing. This information 
about individuals can be collected and analyzed in ways that were not possible prior 
to the Internet. The potential threats to privacy are enormous. 

While the new technologies present fantastic opportunities and real threats to in- 
dividual rights it is also important to recognize that the challenges posed to indus- 
try are real and formidable as well. Internet technologies are changing the manner 
in which companies conduct commerce. They are fundamentally impacting the way 
businesses communicate with and service their customers. It’s a fact that personally 
identifiable information is a key ingredient to individualized and successful com- 
merce in an information economy. Just as fossil fuels powered the industrial revolu- 
tion and new transportation technologies made it possible to achieve economies of 
scale, information is the fuel of the global economy and the Internet is the engine 
powering an explosive growth. My experience has convinced me that if the ability 
to collect and use customer information is compromised, American industry will be 
at a competitive disadvantage. That said, business as usual will not do. 

While some industry leaders are holding themselves to high standards, a majority 
of businesses still think in old terms regarding how to realize value from personally 
identifiable information. Corporations needs to come to terms with a new definition 
of the value they realize from such information both in order to safeguard personal 
liberties and in order to realize the vast potential of properly managed information. 

Central to this definition of value are two assumptions: first that customer infor- 
mation is a precious capital asset and second, that the individual, not the company 
they do business with owns and controls information about themselves. 

Acting on these two assumptions, let me return to the framework that I made ear- 
lier reference to. It goes without saying that no modern business survives long in 
today’s fiercely competitive marketplace if it keeps its financial assets in disarray 
not knowing how much working capital is available and who has the money. Yet 
that’s exactly how most companies manage their customer information. They don’t 
know what they’ve got, they don’t know who has what and they don’t know what 
databases contain what information. It turns out that the comparison between fi- 
nancial capital and information capital is a good way to illustrate the new frame- 
work. Consider the following familiar example from the banking industry. 

Like most Americans, I have money in the bank and I have a stock portfolio. I 
have chosen to hand over my financial assets to professional asset managers. I keep 
my money in a local bank and a I work with a stockbroker. When selecting my bank 
and stockbroker I had two primary selection criteria: TRUST and RETURNS. If I 
do not trust a bank I will not give them my money. And if the competition, the bank 
next door, consistently offers better returns what will I do? I will withdraw my 
money from my current bank and deposit it with the competition. 

As individuals we are increasingly becoming aware that our personal information 
has real value. And just as we will choose to deposit our financial assets with asset 
managers based on TRUST and RETURNS, we are learning to apply the same two 
criteria when we “deposit” our personal information with a company. And if that 
company breaches our trust or does not manage our information in order to gen- 
erate a return in the form of good service and convenience, we will withdraw it and 
deposit it with a competitor who does. 

Information that an organization collects about the individuals it interacts with 
should be treated like a capital asset. It is this information, when used properly, 
which enables a company to build relationships with their current and prospective 
customers and to realize significant financial gain from its ongoing interactions with 
those customers. Without access to personally identifiable information companies 
cannot get to know their prospects and customers. And if they cannot know and 
enter into a personalized dialogue with the very people they do business with, it is 



72 


equivalent to not being able to greet a customer when she walks into a store. Or 
even worse, not being able to develop a relationship with that customer and recog- 
nize her for her loyalty when she returns to that store over and over again. 

Yet does the customer want the store to know who she is before she has intro- 
duced herself? Does walking into a store for the first time constitute implicit permis- 
sion for the store to dip into a database and look up who she is? Would she be com- 
fortable if a grocery store knew how many children she has the very first time she 
entered? Would she be concerned if the grocer sold their knowledge about her low- 
fat diet to her insurance provider without her permission and knowledge? The issue 
is one of personal choice about personal data. And these are the types of questions 
we are asking when we discuss “opt-in” policies, notice and access. 

To address these important concerns, I offer four principles that exemplify the 
new thinking I believe must be adopted in order to realize the potential value and 
benefits inherent in the smart use of customer information. 

• Organizations (data vendors) represent themselves as the custodians — not own- 
ers, of personal information 

• Organizations invest in and actively manage the information they gather about 
individuals in order to generate a return to those individuals as well as to all other 
constituents (shareholders) 

• The individual owns and controls his or her personal information and chooses 
to deposit it with a company based on expectations of TRUST and RETURNS. 

• Individuals receive many benefits such as better service and more relevant in- 
formation, timesavings and achieve higher efficiencies as an organization gets to 
know them by collecting and appropriately utilizing personal information about 
them. 

While the argument that industry self regulation can address all these principles 
may seem appealing, it is my belief that unless we have uniform and consistent 
rules providing a foundation for these principles the individual cannot rely on for 
protection and consistency. Furthermore it means we do not have a level pla 3 dng 
field for industry. 

Let me share with you an example that illustrates some common misconceptions 
and hurdles that confront those who favor giving customers proper notice, access 
and control of their personal information. And while this example illustrates a com- 
pany that did the right thing in the end, it also illustrates that doing right by the 
customer is doing right by the business and therefore that appropriately written leg- 
islation will have a net positive impact on business. 

The email marketing company I founded in 1996 has worked for several years 
with an online music retailer. Some time ago the retailer was experiencing a cus- 
tomer satisfaction problem because they were sending too many promotional emails 
to their customers. Once you had made a purchase from the company you were 
added to their marketing database and began receiving electronic commercials. It 
was very difficult to stop the flood. We argued for better notice and a simple and 
straightforward unsubscribe mechanism, making it easy for customers to remove 
their name from the mailing list. The company hesitated to heed our advice for 
seemingly logical reasons: They had spent tens of millions of dollars on marketing 
to attract their customers and we were telling them that if a customer wanted to 
disengage, it should not only be possible, it should be easy. They could not convince 
themselves that “letting a customer go” was good business. As their satisfaction 
problems continued to grow the music retailer finally decided to perform a test with 
a small sub-segment of their customers. They implemented a very simple one-click 
unsubscribe process for the test-customers making it easy for them to stop the 
emails or modify their personal profile. To the retailer’s great surprise, they discov- 
ered that their new process had no negative impact on the business whatsoever. The 
people that complained about receiving too many emails were not likely to make any 
more purchases. More astonishing was the fact that when the company rolled out 
the new functionality to their whole customer base and promoted on their e-com- 
merce weh-site how easy it was to opt-out, their level of opt-in improved signifi- 
cantly. People were more comfortable signing up when they knew they were in con- 
trol and it would be easy to disengage from the service should they not want it in 
the future. Providing customers with the ability to easily access and change their 
personal profile information, including removing their names altogether built trust 
and confidence. The music retailer profited from making it easy for its customers 
to unsubscribe or disengage. 

As this example illustrates determining what is appropriate notice and what rep- 
resents adequate permission in order to collect personally identifiable information 
is not simple. Furthermore it would also seem that there is no single solution appro- 
priate for all situations. My experience has convinced me that opt-out with notice 
may be an appropriate level of protection in many instances. Yet there are also 



73 


many cases where strict opt-in is the only appropriate solution. In situations where 
information is being collected strictly for internal use in an organization, my opinion 
is that an appropriate level of protection is afforded by requiring opt-out with notice. 
Where there may be possibilities that personally identifiable information will be 
transferred to an external organization that an individual is interacting with, it 
seems the only appropriate solution is to require full opt-in. 

What is key here is the concept that no matter the circumstance, every firm must 
assume full responsibility for protecting personal data entrusted to it, whether by 
customers, employees or prospects. Implementation will necessarily vary with cir- 
cumstances but as in matters of law, policies will indicate intent. 

Finally we must acknowledge the considerable cost to industry implicit in requir- 
ing stricter enforcement of notice, permission and complete access to and control of 
personal information. In my opinion the requirement that industry provides individ- 
uals with access to and control of personally identifiable information will be the 
most costly component to implement as it probably requires that such information 
be centralized. 

Most organizations do not have the technical ability to centralize their customer 
information today, nor do they have the internal processes to enforce uniform and 
appropriate use of customer information. That said, it is feasible to implement such 
solutions with existing technology and developing best practices business processes 
to support such an initiative is a question of good management. Furthermore, the 
policy changes an organization must undertake to implement proper privacy protec- 
tion for its members and customers are the same initiatives essential to focusing 
the organization around its customers, an important trend in business and mar- 
keting. In other words, the investment made to protect the individuals’ privacy, is 
an investment in best business practices and will generate handsome returns when 
made a corporate priority. 

America is a country of innovators and inventors. The way personally identifiable 
information is managed by industry must change and I am convinced that the spirit 
of innovation and creativity will lead us to new and significantly enhanced solutions. 
I have no doubt we can create options that support industry’s need to collect, com- 
bine and even share personally identifiable information, all without compromising 
individual privacy. 

In order to drive this change, I believe that government regulation is necessary. 
While it is not the role of government to dictate to companies what they may do 
with customer information, it is the responsibility of the Federal government as an 
extension of its constitutional duty to protect civil liberties to ensure that the use 
of information is based on the consent and always under the control of the individ- 
uals to whom it belongs. We need a foundation for major change as well as a level 
playing field and only Federal legislation can establish the required ground rules. 
While industry self-regulation can work in some cases and in some states, it will 
not be an effective way to ensure that a win-win scenario for the all citizens of 
America and for industry alike. When it comes to protecting privacy and empow- 
ering a competitive data industry, the Federal government, in my opinion, has an 
indispensable role to play. 

Mr. Chairman, and Members of this Committee I am encouraged by your leader- 
ship in this area and thank you for the opportunity to address the committee this 
morning. 

The Chairman. Mr. Misener. 

STATEMENT OF PAUL MISENER, VICE PRESIDENT, 
GLOBAL PUBLIC POLICY, AMAZON.COM 

Mr. Misener. Thank you, Chairman Hollings, very much, and 
members of the Committee. My name is Paul Misener. I am Ama- 
zon.com’s Vice President for Global Public Policy. 

Mr. Chairman, Amazon.com is pro-privacy. The privacy of per- 
sonal information is important to our customers, and thus it is im- 
portant to us. Indeed, as Amazon.com strives to be Earth’s most 
customer-centric company, we must provide our customers the very 
best shopping experience, which is a combination of convenience, 
personalization, privacy, selection, savings, and other features. 

At Amazon.com, we manifest our commitment to privacy by pro- 
viding our customers notice, choice, access, and security. Ama- 



74 


zon.com was one of the very first online retailers to post a clear 
and conspicuous privacy notice, and last summer, we proudly un- 
veiled our updated and enhanced privacy policy by taking the un- 
usual step of sending email notices to all of our customers, then to- 
taling well over 20 million. 

We also provide our customers meaningful privacy choices. In 
some instances, we provide opt-out choice, and in other instances, 
we provide opt-in choice. We are an industry leader in providing 
our customers access to the information we have about them. They 
may easily view and correct as appropriate their contact informa- 
tion, payment methods, purchase history, and even the click stream 
record of products they view while browsing Amazon.com’s online 
stores. 

Finally, Amazon.com vigilantly protects the security of our cus- 
tomers’ information. Not only have we spent tens of millions of dol- 
lars on security infrastructure; we continually work with law en- 
forcement agencies and industry to share techniques and develop 
best practices. It is very important to note that other than obliga- 
tion to live up to pledges made in our privacy notice, there is no 
legal requirement for Amazon.com to provide our customers the 
privacy protections that we do. 

So why do we provide notice, choice, access and security? The 
reason is quite simple. Privacy is important to our customers, and 
thus it is important to Amazon.com. We simply are responding to 
market forces. Indeed, if we don’t make our customers comfortable 
shopping online, they will shop at established brick-and-mortar re- 
tailers who are our biggest competitors. These market realities lead 
us to conclude that there is no inherent need for privacy legisla- 
tion. 

That said, we have been asked whether Amazon.com could sup- 
port a privacy bill. Perhaps we could, Mr. Chairman, but only 
under certain circumstances. Under no circumstances would we 
support a state or local law governing online privacy. Not only 
would such laws be constitutionally suspect, a nationwide web site 
like Amazon.com would find it difficult, if not impossible, to comply 
with 50 or more sets of conflicting rules. 

At the Federal level, Amazon.com could support a bill that would 
require notice and meaningful choice, but only if it would preempt 
inconsistent state laws, bar private rights of action, and address 
both online and offline activities. Please allow me to briefly address 
each of these points. 

First, any Federal privacy legislation applied to online activities 
must preempt inconsistent state laws. Even though such laws most 
likely would fail a constitutional challenge, the expense and uncer- 
tainty of litigation should be avoided with a congressionally adopt- 
ed ceiling. 

Second, Amazon.com could support a privacy bill only if it would 
bar private rights of action. The threat of aggressive private litiga- 
tion would cause companies to balkanize their privacy notices for 
the sake of legal defensibility at the expense of simplicity and clar- 
ity. Ten-page privacy statements in fine print legalese would be- 
come the norm. 

A regulatory body such as the Federal Trade Commission, on the 
other hand, could balance the competing interests of legal precision 



75 


and simplicity. A class action plaintiffs lawyer would have no such 
motivation. 

Third and finally, Amazon.com believes that privacy legislation 
must apply equally to online and offline activities. It makes little 
sense to treat information collected online differently from the 
same and often far more sensitive information collected through 
other media, such as mail and warranty registration cards, point 
of sale purchase tracking, and magazine subscriptions. 

On the one hand, such parity is necessary in fairness to online 
companies, but more importantly, it would be misleading to Amer- 
ican consumers to enact a law that applies only to online entities, 
because for the foreseeable future, the putative protections of such 
a law would apply only to a tiny fraction of consumer transactions. 
Last year, online sales accounted for less than 1 percent of retail 
business. 

Obviously any law that addresses only online transactions could 
not benefit consumers much at all, compared to one that equally 
addresses online and offline activities. Moreover, to the extent it 
provides real consumer benefits, a law that addresses only online 
activities would have the perverse effect of failing to provide any 
benefits to those on the less fortunate side of the digital divide. In- 
deed, consumers who, because of economic situation, education or 
other factors are not online would receive no benefits from a new 
online-only law. 

In sum, Mr. Chairman, Amazon.com is pro-privacy in response to 
consumer demand and competition. We believe market forces are 
working and thus believe there is no inherent need for legislation. 
Nonetheless, Amazon.com could support limited Federal legislation, 
but only if it preempts state laws, only if it bars private rights of 
action, and only if it applies to offline as well as online activities. 

Thank you again for inviting me to testify, Mr. Chairman. I look 
forward to your questions. 

The Chairman. Thank you very much. 

[The prepared statement of Mr. Misener follows:] 

Prepared Statement of Paul Misener, Vice President, 

Global Public Policy, Amazon.com 

Chairman Hollings, Senator McCain, and members of the Committee, my name 
is Paul Misener. I am Amazon.com’s Vice President for Global Public Policy. Thank 
you for inviting me to testify today. 

A pioneer in electronic commerce, Amazon.com opened its virtual doors in July 
1995 and today offers books, electronics, toys, CDs, videos, DVDs, kitchenware, 
tools, and much more. With well over 30 million customers in more than 160 coun- 
tries, Amazon.com is the Internet’s number one retailer. 

Mr. Chairman, Amazon.com is pro-privacy. The privacy of personal information is 
important to our customers and, thus, is important to us. Indeed, as Amazon.com 
strives to be Earth’s most customer-centric company, we must provide our customers 
the very best shopping experience, which is a combination of convenience, personal- 
ization, privacy, selection, savings, and other features. 

At Amazon.com, we manifest our commitment to privacy by providing our cus- 
tomers notice, choice, access, and security. Please allow me to address each briefly: 

Notice. Amazon.com was one of the first online retailers to post a clear and con- 
spicuous privacy notice. And last summer, we proudly unveiled our updated and en- 
hanced privacy policy by taking the unusual step of sending email notices to all of 
our customers, then totaling over 20 million people. 

Choice. We also provide our customers meaningful privacy choices. In some in- 
stances, we provide opt-out choice, and in other instances, we provide opt-in choice. 
For example, Amazon.com will share a customer’s contact information with our 
trusted partner Greenlight.com only after that customer makes an opt-in choice. 



76 


Access. We are an industry leader in providing our customers access to the infor- 
mation we have about them. They may easily view and correct as appropriate their 
contact information, payment methods, purchase history, and even the “click- 
stream” record of products they view while browsing Amazon.com’s online stores. 

Security. Finally, Amazon.com vigilantly protects the security of our customers’ 
information. Not only have we spent tens of millions of dollars on security infra- 
structure, we continually work with law enforcement agencies and industry to share 
security techniques and develop best practices. 

It is very important to note that, other than an obligation to live up to pledges 
made in our privacy notice, there is no legal requirement for Amazon.com to provide 
our customers the privacy protections that we do. 

So why do we provide notice, choice, access, and security? The reason is simple: 
privacy is important to our customers, and thus it is important to Amazon.com. We 
simply are responding to market forces. 

Indeed, if we don’t make our customers comfortable shopping online, they will 
shop at established brick and mortar retailers, who are our biggest competition. 
Moreover, online — where it is virtually effortless for consumers to choose among 
thousands of competitors — the market provides all the discipline necessary. Our cus- 
tomers will shop at other online stores if we fail to provide the privacy protections 
they demand. 

These market realities lead us to conclude that there is no inherent need for pri- 
vacy legislation. That said, we have been asked whether Amazon.com could support 
a privacy bill. Perhaps we could, but only under certain circumstances. 

Under no circumstances would we support state or local laws governing online 
privacy. Not only would such laws be constitutionally suspect, a nationwide website 
like Amazon.com would find it difficult if not impossible to comply with fifty or more 
sets of conflicting rules. 

At the Federal level, Amazon.com could support a bill that would require notice 
and meaningful choice, but only if it would preempt inconsistent state laws, bar pri- 
vate rights of action, and address both online and offline activities. Please allow me 
to briefly address each of these points. 

Preempt State Law. First, any Federal privacy legislation applied to online ac- 
tivities must preempt inconsistent state laws. As I noted earlier, it would be vir- 
tually impossible for a nationwide website to comply with inconsistent rules from 
multiple jurisdictions. Even though such laws most likely would fail a constitutional 
challenge, the expense and uncertainty of litigation should be avoided with a Con- 
gressionally adopted ceiling. 

Bar Private Rights of Action. Second, Amazon.com could support a privacy bill 
only if it would bar private rights of action. The threat of aggressive private litiga- 
tion would cause companies to balkanize their privacy notices for the sake of legal 
defensibility, at the expense of simplicity and clarity. Ten-page privacy statements 
and fine-print legalese would become the norm. A regulatory body such as the Fed- 
eral Trade Commission, on the other hand, could balance the competing interests 
of legal precision and simplicity. A class action plaintiffs’ lawyer would have no such 
motivation. 

In addition, the aforementioned uniformity necessary to run nationwide websites 
would be destroyed by a host of trial lawyers suing companies all across the country. 
A single authority, such as the FTC, could provide the nationwide approach that 
private litigation cannot. 

Parity with Offline Activities. Third, and finally, Amazon.com believes that 
privacy legislation must apply equally to online and offline activities, including the 
activities of our offline retail competitors. It makes little sense to treat information 
collected online differently from the same — and often far more sensitive — informa- 
tion collected through other media, such as offline credit card transactions, mail-in 
warranty registration cards, point-of-sale purchase tracking, and magazine subscrip- 
tions. 

On one hand, such parity is necessary in fairness to online companies. It simply 
would not be equitable to saddle online retailers with requirements that our brick- 
and-mortar or mail order competitors do not face. 

But more importantly, it would be misleading to American consumers to enact a 
law that applies only to online entities because, for the foreseeable future, the puta- 
tive protections of such a law would only apply to a tiny fraction of consumer trans- 
actions. Last year, online sales accounted for less than one percent of all retail busi- 
ness. Obviously, any law that addresses only online transactions could not benefit 
consumers much at all compared to one that equally addresses online and offline 
activities such as using a grocery store loyalty card or subscribing to a magazine. 

Moreover, to the extent it provides real consumer benefits, a law that addresses 
only online activities would have the perverse effect of failing to provide any bene- 



77 


fits to those on the less fortunate side of the digital divide. Indeed, consumers who, 
because of economic situation, education, or other factors, are not online would re- 
ceive no benefits from a new, online-only law. 

In sum, Mr. Chairman, Amazon.com is pro-privacy in response to consumer de- 
mand and competition. We believe market forces are working and, thus, believe 
there is no inherent need for legislation. We firmly oppose the adoption of any non- 
Federal privacy law that addresses online activities. Nonetheless, Amazon.com could 
support limited Federal legislation, but only if it preempts state laws, only if it bars 
private rights of action, and only if it applies to offline as well as online activities. 

Thank you again for inviting me to testify, I look forward to your questions. 

The Chairman. Mr. Catlett. 

STATEMENT OF JASON CATLETT, PRESIDENT 
AND CEO, JUNKBUSTERS CORP. 

Mr. Catlett. Thank you, Mr. Chairman. It is an honor to appear 
before you again, and I would like to commend the Committee on 
its steadfast attention to privacy, particularly Senators Wyden and 
Burns for their hard work on junk email. Rather than reading a 
prepared statement today, I would like to comment on some of the 
examples that you have raised. 

Gramm-Leach-Bliley, I think, serves as an excellent example of 
the utter failure of the opt-out model. A survey by the American 
Banking Association found that 41 percent of people do not recall 
having received their notices, so their privacy interests do not seem 
to be protected by this. 

We could take an example of one of these privacy notices, which 
are very confusing and, in my opinion, highly deceptive in some 
cases. Let’s take U.S. Bancorp’s consumer privacy pledge which 
opens with the sentence, “Protecting your privacy is important to 
the U.S. Bancorp family of financial service providers.” 

If you read 400 words down, you will then find that the bank al- 
lows itself to disclose all of the information it has to other financial 
institutions with which it has joint marketing arrangements. In- 
deed, according to the state attorney general of Minnesota, Mike 
Hatch, the company has a history of making such disclosures. 

He alleges that U.S. Bank has disclosed the following informa- 
tion, which is in my written testimony: name, address, telephone 
numbers, gender, marital status, home ownership status, occupa- 
tion, checking account number, credit card number. Social Security 
number, birth date, account open date, average account balance, 
automated transactions authorized, credit card type and brand, 
number of credit cards, cash advance amount, behavior score, 
bankruptcy score, date of last payment, amount of last payment, 
date of last statement, statement balance. 

Now, in its defense, the CEO of the bank characterized this kind 
of transaction as an industry-wide practice, and as the bank’s pri- 
vacy statement discloses, it can continue to do this. Now, I think 
if you were to ask the average American consumer, is she happy 
about having all of this information sold to a telemarketer, I think 
we can assume that she would say “no”. And yet her interests and 
wishes are not being served by the opt-out model. She has to find 
the statement, read it, go through the opt-out procedure, and under 
the limited rights provided by Gramm-Leach-Bliley, can’t even opt 
out of many of the uses of information. 

So I think this example shows that opt-in is the appropriate 
standard. If the bank wishes to be able to sell information about 



78 


its customers, it can offer them a month’s free checking in return 
and obtain their permission. That is the appropriate standard in 
my view. 

Another example that you have raised was the case of Eli Lilly 
accidentally disclosing information about the takers of Prozac, and 
I think here is an example of why a private right of action is essen- 
tial. You could ask: Is the market going to punish Eli Lilly for this 
breach of privacy? Is it plausible, for example, that a depressive pa- 
tient sitting in his doctor’s office would say, “No, no, don’t prescribe 
me Prozac; I don’t like the manufacturer’s privacy practices”. 

No. I think there is a clear failure here of the market to provide 
a feedback, and if a private right of action were available for $500, 
then that would clarify the minds of the manufacturers and provide 
an incentive get its security procedures in place and to ensure that 
that kind of incident doesn’t happen again. 

Another example of the private right of action occurred with 
Amazon. The Federal Trade Commission found in May that Ama- 
zon had likely been deceptive in its information practice descrip- 
tions that it had given to customers, but it decided to take no ac- 
tion, in part because Amazon had updated its description to con- 
form with those practices. 

I think if you take the analogy, as we have heard, with financial 
information, that if the SEC discovered a company had misled in- 
vestors in a prospectus but then changed the figures and let them 
off, we would regard that as unsatisfactory. So I think a private 
right of action will allow individuals to continue to defend their in- 
terests where a Federal Government agency may be disinclined to 
do so. 

The next example I would like to take you raised is safe harbor, 
which is not an ideal privacy standard in my view, but it is much 
higher than the average American gets from the average company, 
and I commend Microsoft for recently announcing that it would ad- 
here to safe harbor, not only for its European customers but also 
for all customers worldwide. 

I have been a long critic of Microsoft because of their failure to 
live up to their own statements of privacy, but I do hope that they 
will observe this, and I think it raises the question of whether 
Microsoft would support such a standard being mandated by Fed- 
eral law and why these many other companies that have signed on 
think that the citizens of this country should not have privacy 
rights equivalent to those which they are willing to grant to other 
countries. 

The next example I would like to raise that you have been dis- 
cussing is the question of online versus offline. Should higher 
standards apply to the online world? My answer is yes for collec- 
tion, but no for other types of issues such as access to information, 
which I think is very important and onward forwarding of the in- 
formation. The Internet provides enormous opportunities for the 
collection of information. 

If I go into a physical book shop and look at a title on the shelf, 
no one is recording that, but an online book shop is. Traditionally 
Congress has looked at the ability of technologies to invade privacy, 
and applying one standard to all technology is like saying that a 
thermal imaging system which can see through the walls of your 



79 


house as your body moves from room to room should be subjected 
to the same privacy standards as a photocopier. This is absurd. It 
is totally appropriate to have technology-specific controls for collec- 
tion of information. 

But for principles such as the access to the information and for 
the question of whether the permission of the consumer concerned 
should be given, provided before it is disclosed for a secondary pur- 
pose, then I think the same standards should prevail online and 
offline. 

My third point is about P3P, which I have written extensively on, 
concluding that it really will not raise the privacy of the average 
Internet user, and that it has become more a pretext for privacy 
procrastination than a technology that will improve privacy. But as 
my time has expired, I will pass to Microsoft to present on that. 
Thank you. 

[The prepared statement of Mr. Catlett follows:] 

Prepared Statement of Jason Catlett, President 
AND CEO, JUNKBUSTERS CORP. 

My name is Jason Catlett, and I am President and CEO of Junkbusters Corp., 
a for-profit company working with businesses, governments and legislators to pro- 
mote privacy and reduce unwanted solicitations such as junk email. My Ph.D. was 
in Computer Science, and I have also held various academic positions, most recently 
as a fellow at the Kennedy School of Government, Harvard University (2001-2002 
academic year). I’d like to thank the Committee for inviting me to appear again 
today, and for its past hearings on privacy. 

Rather than repeating matter from my written statement of May 25 last year or 
from the testimony today of Professors Rotenberg and Schwartz (with which I con- 
cur), I would like to examine several events and trends over the past 13 months 
since I appeared before you all, and ask how they should inform your deliberations. 
My view is that recent experience reinforces the conclusion that strong comprehen- 
sive privacy law is urgently needed, with a private right of action and without the 
preemption of state law. 

Over the past year businesses have admitted that privacy is a problem that is not 
going to go away without legislation. Executives at companies such as Hewlett-Pack- 
ard, Dell, Intel, and the American Electronics Association (a large trade group) have 
called for Federal privacy legislation. Many have advocated a weak “notice and opt 
out” bill, but several marketing leaders have come out in favor of an opt-in stand- 
ard. Permission marketing, as they call opt-in, has matured from a radical idea to 
a mainstream doctrine. Online marketers know that spam (Unsolicited Commercial 
Email) has poisoned the good will of online consumers, and some trade associations 
have supported opt-in as the standard for email marketing. As I have testified be- 
fore your Subcommittee, I believe this standard should be Federally mandated. 

The opt-out model has recently been put to a large-scale test, as the weak privacy 
requirements of the Gramm-Leach-Bliley Act (GLB) came into effect at the begin- 
ning of this month. According to a survey by the American Banking Association, 
41% of people do not recall having received their notices; clearly they have not been 
served well by the opt out model. The 36% of people who read their notices may 
have gained too rosy a picture of the state of their privacy. For example, US 
Bancorp’s Consumer Privacy Pledge opens with the assurance that “Protecting your 
privacy is important to the U.S. Bancorp family of financial service providers.” Four 
hundred words later, the bank says it allows itself to disclose all of the information 
it has “to other financial institutions with which we have joint marketing arrange- 
ments.” Indeed, the bank has not been reluctant make such disclosures in the past. 
According to Minnesota Attorney General Mike Hatch, it sold to a telemarketing 
company following information about its customers: “name, address, telephone num- 
bers of the primary and secondary customer, gender, marital status, homeownership 
status, occupation, checking account number, credit card number. Social Security 
number, birth date, account open date, average account balance, account frequency 
information, credit limit, credit insurance status, year to date finance charges, auto- 
mated transactions authorized, credit card type and brand, number of credit cards, 
cash advance amount, behavior score, bankruptcy score, date of last payment, 
amount of last payment, date of last statement, and statement balance.” In a pre- 



80 


pared statement the bank’s CEO characterized this kind of transaction as an “indus- 
try-wide practice.” Now, I think it is reasonable to presume that if the average 
American were asked in a plain and direct manner whether she wanted the bank 
to sell all this information about her to telemarketers, she would say “no”. But by 
failing to find, read, understand, and respond to a privacy notice, she has unwit- 
tingly allowed this to happen. Under the opt-out model, banks continue practices 
against the desires of the majority of their customers, by making their notices inef- 
fective, vague, and bordering on deceptive, and by placing the burden on the con- 
sumer to try to understand what they need to opt out of and how. The GLB experi- 
ence is a clear illustration of the necessity of an opt-in model for disclosure and sec- 
ondary use of information. In their lobbjdng against opt-in legislation, banks 
claimed it would cost them millions if they were required to obtain consent before 
selling information about their customers. This is an understandable motive, but the 
question for lawmakers is whose interests should prevail here. 

Over the past year the Internet bubble has burst, and some who lobby against 
privacy for Internet companies have changed their tune from “don’t crimp the nas- 
cent growth of this new medium” to “don’t hit us while we’re down.” One might won- 
der whether under this logic there could ever be an appropriate time for privacy 
rights; I would suggest this time is long overdue. As Professor Rotenberg concluded 
from a Gallup poll, privacy continues to be a major reason for non-participation, as 
well as an ongoing concern of online shoppers; this does not decline as users become 
more experienced. Forrester Research has concluded that “Nearly 90% of online con- 
sumers want the right to control how their personal information is used after it is 
collected. . . . Surprisingly, these concerns change very little as consumers spend 
more time online.” Many online retailers have gone bankrupt or are struggling to 
achieve profitability, as online consumer spending has failed to grow as quickly as 
hoped. Unfortunately the many bankruptcies have further damaged privacy, as cus- 
tomer databases of companies that formerly promised never to sell personal infor- 
mation without consent are sold, usually on an opt-out basis. Consumers typically 
have no option to see the information that is being sold about them, so the opt-out 
choice is fairly meaningless. This is one reason why access rights should be included 
in privacy legislation. 

At a public workshop run by the Federal Trade Commission in March, the major 
consumer profiling companies refused to allow people access to their own profiles, 
or even to provide sample profiles. 

Online profiling companies also told the FTC that they are continuing develop- 
ment of their Consumer Profile Exchange technology without any committment to 
observe fair information practices in their use of it. 

In May the Federal Trade Commission found that Amazon and its Alexa division 
has likely deceived customers, but it decided “not to recommend any enforcement 
action action at this time,” in part because the company had changed its description 
of its practices. This is a lamentable non-action for a consumer protection agency 
that is supposed to keep companies honest. Imagine if the SEC found that a com- 
pany had misled investors with fake figures in a prospectus, then let them off be- 
cause they had issued new figures and moved into a new business. To me this inci- 
dent is an illustration of the need for a private right of action. So are many other 
incidents where companies have made inadvertent disclosures contrary to their un- 
dertakings to consumers, most recently Eli Lilly’s release of the e-mail addresses of 
600 people on Prozac. Companies face too little negative feedback for their errors. 
What sufferer of depression is going to tell his doctor not to write him a prescription 
for Prozac because of the manufacturer’s record on privacy? 

Another trend is that more companies online are posting so-called privacy policies, 
but the quality of those policies appears to be getting even worse. This conclusion 
was reached in one longitudinal study by Enonymous. There have also been some 
prominent examples, such as Amazon.com’s change of policy at the end of August 
2000. As customer of many years, I was shocked to find after a long and careful 
examination of their new policy that a company that had previously undertaken 
never to sell my information, might now sell the title of the next book I bought, in 
the event of a bankruptcy, or in bulk if they sold a division, such as their book oper- 
ations. 

Dissatisfied, I asked Amazon to delete its records of the books I had purchased. 
They have repeatedly refused, saying that their systems were not designed to ac- 
commodate this easily. They also refused my calls to show their customers all the 
information they have about them on request. The laws of several countries in 
which Amazon operates require both access and deletion on request, so I find their 
refusal to extend these rights to Americans deplorable. 

In the past year several nations including Canada and Australia legislated broad, 
technology-independent privacy rights rights for their citizens, partly with an eye 



81 


toward enabling free data flows with the European Union. Some fifty companies 
have signed up with the Department of Commerce’s Safe Harhor program, commit- 
ting to a privacy standard that in my opinion is short of ideal, hut still far higher 
than most companies provide for their American customers, and higher than almost 
all proposed Federal privacy legislation. The program applies only to the data of Eu- 
ropeans, hut Microsoft has stated that it will apply that standard to all its cus- 
tomers, including the U.S. I wish I could hear an explanation from these companies 
as to why they don’t want their American customers to have mandated by law a 
level of privacy that they are willing to grant to Europeans. 

Ever more intrusive collection technologies are being rolled out, such as online 
tracking mechanisms, spyware, face recognition systems, location tracking devices 
and thermal imaging. To the lobbyist who says that the Internet shouldn’t be held 
to a higher standard in privacy law than the offline world, I ask whether he believes 
that a camera that can see his body through the walls of his home should be held 
to the same privacy standards as a photocopier. Restrictions on data collection nec- 
essarily take into account the means of collection. When it comes to the use and 
disclosure of information, I generally agree that the same principles should apply 
regardless of how the information is collected, processed or distributed. 

Enthusiasm seems to have waned in the past year for the hope that “technology 
got us into this mess, so technology can get us out of it.” I am certainly in favor 
of privacy enhancing technologies: my company has for several years published such 
software, and it has been used by hundreds of thousands of people. But advances 
in “cloaking” technologies are always outstripped by advances in collection tech- 
nologies, both in capabilities and degree of adoption. In September American Ex- 
press announced that it would roll out in 2001 a “private browsing” service with a 
startup company called Privada. Privada recent ceased operations, and AmEx has 
told me it does not intend to deliver the service. 

PSP has for years been billed as the privacy technology of the future, and it seems 
destined to remain so for at least several more years. Even if the computer-readable 
privacy notices of PSP were universally deployed, it would suffer the same problems 
as human-readable privacy notices that I have listed above. Microsoft has imple- 
mented a part of PSP in its next browser, but only as an excuse not to fix the de- 
fault settings that allows tens of millions of web bugs to gather click streams in vol- 
umes of billions of clicks per day. Microsoft’s “thermostat setting” where surfers are 
required to tell their PCs how much they will tolerate being surveilled gives a mis- 
leading and dangerous view of privacy. People should not be forced to trade privacy 
for participation. People need legally guaranteed privacy rights to control the data 
collected about them. 

In July 2000 the FTC sanctioned a deplorably low set of standards proposed by 
Doubleclick and a few other online advertising companies under the name of the 
Network Advertising Initiative. Some of these companies are no longer with the 
NAI, having gone bankrupt or withdrawn on principle to support privacy. The com- 
panies require consumers who do not wish to be tracked to get “opt-out” cookies on 
their browsers. This is bad policy and bad implementation. People generally believe 
that destroying all their cookies will improve their privacy, and do not realize that 
this step in fact removes the record of their request to be anonymous. This opt-out 
feature is a contemptible excuse for massive surveillance. 

Mr. Chairman, Members of the Committee, as this collection of a year’s events 
suggests, each week brings another Love Canal of privacy to light. In previous cen- 
turies people enjoyed privacy as an accidental byproduct of the practical obscurity 
of personal information. Those days are gone forever. Privacy will not return to us 
by accident. Privacy will not survive without strong acts of will by democratic gov- 
ernment. Privacy will not survive unless citizens have effective privacy rights cre- 
ated by governments. Privacy requires the diligent efforts of companies and institu- 
tions to comply with mandatory standards. Few companies will ask you to impose 
that discipline on them. But it is up to you to require all organizations that handle 
information about people to treat it fairly. Unless you do that, our society will not 
enjoy the benefits that our technology and economy could deliver, and we will be 
robbed of something that is very necessary to a dignified human existence: privacy. 

I appreciate the opportunity to speak before you today. I would be pleased to an- 
swer your questions. 

The Chairman. Thank you very much. 

Mr. Rubinstein. 



82 


STATEMENT OF IRA RUBINSTEIN, ASSOCIATE GENERAL 

COUNSEL, ELECTRONIC COMMERCE POLICY, MICROSOFT 

CORPORATION 

Mr. Rubinstein. Chairman Hollings, members of this Com- 
mittee, thank you for the opportunity to testify today. My name is 
Ira Rubinstein, and I am associate general counsel for electronic 
commerce at Microsoft. Today I would like to talk to you about our 
work on Internet Explorer 6, which is the next version of our pop- 
ular browsing technology and which is available to the public today 
in a preview version and will be released generally on October 25 
when we ship Windows XP. 

In particular, what I am going to show you today are tools in 
Internet Explorer 6 that will make the privacy policies of web sites 
more transparent to consumers than ever before, and that will give 
consumers on a broad scale greater control of their online informa- 
tion than they have ever had. These tools will also directly address 
one of the issues that we hear the most concerns about, online 
profiling or tracking, which is the practice of collecting the history 
of a user’s actions across a series of web sites. 

Before I give an overview of these tools, I want to emphasize that 
this effort builds on an open industry standard. We have been 
working with the Worldwide Web Consortium on a technical stand- 
ard called PSP. The goal of PSP is to provide a common language 
for a site to describe its data practices, such as what data it col- 
lects, how the site uses it, how it handles cookies, and so on. The 
common language helps web sites describe the important aspects of 
their information policies according to a standardized road map. 

I hope my slide presentation will come up in a moment, but I be- 
lieve you also have a printout of these slides. P3P also provides a 
mechanism for a site to provide a machine-readable version of its 
data policies. The grand vision of PSP is that when sites code their 
privacy policies according to this standard and consumers have 
PSP tools in their hands, they can automatically match their indi- 
vidual privacy settings and preferences against the practices of the 
web sites they are visiting. If the web site satisfies the consumer’s 
preferences, the consumer enters the web site without incident, if 
the site does not match the individual’s personal setting, the con- 
sumer at least is warned of that fact before proceeding. 

Let me now show you how this will work in Internet Explorer 6, 
and I would ask you to refer to the handout of the slides until the 
computer here reboots. On slide 3, you will see a box describing the 
first-time consumer experience when a consumer connects to a web 
site whose privacy practices related to cookies and information 
reuse do not match the consumer settings in Internet Explorer 6.0. 
When this happens, a small window appears. 

By the way, a cookie is a file created by an Internet site to store 
information on the user’s computer, such as preferences when vis- 
iting that site or in some cases, personally identifiable information, 
such as a name or an email address. 

The window that appears when a user first connects to a site 
tells the consumer about a new privacy icon which unfortunately 
is not on your screen, but it appears in the lower right-hand corner 
as a small red eye, and it represents a warning that Internet Ex- 
plorer 6 technology has detected a mismatch between the consumer 



83 


settings for accepting or rejecting cookies, and the practices of the 
web site. I am now on slide 4, which has a large arrow pointing 
to that red eye icon. 

This privacy warning will show up every time there is a mis- 
match, and this feature by itself does a lot to foster more trans- 
parency about privacy policies than has been imaginable in the 
past. In addition, to offer consumers control, we have provided an 
easy mechanism that allows the consumer, the individual, to speci- 
fy how Internet Explorer 6.0 should handle cookies and associated 
data practices. 

I am now on slide 5, which you see has — is labeled. Medium, and 
has a slighter setting, and the slides are now appearing on the 
screen. This is the default setting for P3P in Internet Explorer 6, 
and this setting will ship preinstalled and filter third-party cookies, 
the cookies that are used to track users across sites. By default, 
these third-party cookies will be blocked unless the third party pro- 
vides a machine-readable privacy policy in the P3P format, so that 
is requirement No. 1, that the site have a P3P policy. 

And in addition, on this slide, the user in this case has browsed 
to an MSNBC site, which is using advertising from MSN and from 
other sites, but the cookies delivered along with those advertise- 
ments did not have the appropriate P3P policies associated with 
them, so they were blocked, and that is because P3P is still in the 
early trial stages, and MSNBC, like other web sites, has yet to de- 
ploy the P3P compact policies. 

So these cookies from a site other than the one the consumer was 
visiting, the site serving the ads, have been blocked, because these 
sites have not yet launched their P3P policies. Moreover, even if 
the third party has a P3P-compliant policy in this medium default 
mode, its cookies will be blocked if it is reusing a consumer’s per- 
sonally identifiable information and does not allow for consumer 
choice, either opt-out or opt-in, and this approach tracks the ar- 
rangement established last summer between the FTC and the net- 
work advertising companies. 

With a single click, however, consumers can change the setting 
to a higher or lower level of privacy. The medium-high setting re- 
quires opt-in for third parties’ reuse of personal information and at 
least opt-out if the site you are visiting, a first party site, wants 
to reuse that personal information. Users can also click to a high 
setting, which would require all web sites to obtain opt-in consent 
before the reuse of PI, and you can also block all cookies. There is 
also a low setting which would allow the user to accept all cookies, 
which is effectively the current state of the web today. 

Internet Explorer 6 has a number of other features that help con- 
sumers control their privacy. Most importantly, we have tools that 
enable consumers to easily capture and read the P3P-compliant 
policy of a site. While I am not showing all these features today, 
I would like to mention just a few. We have tools that allow con- 
sumers to import settings from some other source besides Micro- 
soft, so that Center for Democracy and Technology, for example, 
which is an organization that has worked extensively on the P3P 
standard, is also in discussions with us about developing their own 
settings which a user could then import onto its browser, and since 



84 


P3P is an open standard, other companies could easily develop 
their own P3P implementation. 

Now, we are actively encouraging web sites to deploy P3P poli- 
cies, and based on feedback so far, we hope to see a very significant 
deployment. I want to emphasize in closing that we don’t view 
IE6.0 and its P3P implementation as a silver bullet solution to all 
online privacy issues, but it is a very significant step, and it shows 
that technology can play a critical role in addressing consumers’ 
privacy concerns. 

Fundamentally, we believe we have done work that consumers 
want and that will retain their trust in the face of concerns over 
the collection and use of personal information. Thank you, and I 
look forward to your questions. 

[The prepared statement of Mr. Rubinstein follows:] 

Prepared Statement of Ira Rubinstein, Associate General Counsel, 
Electronic Commerce Policy, Microsoft Corporation 

Chairman Hollings, Ranking Member McCain, Members of this distinguished 
committee, thank you for the opportunity to testify before you today on subjects that 
are very important to consumers — Internet privacy and the tools that consumers 
can use to protect their privacy. My name is Ira Rubinstein, and I am Associate 
General Counsel for e-commerce policy at Microsoft Corporation. At Microsoft, we 
are not only dedicated to protecting consumer privacy, but from an even broader 
perspective, to building an online community that consumers trust and to promoting 
vigorous growth of online opportunities for all. 

overview: the marketplace is demanding better privacy tools 

Today I would like to share with you just one of the things our company is doing 
around the issue of online privacy. For several years, Microsoft has been at the fore- 
front of promoting privacy online. We have been developing privacy best practices 
and procedures under the leadership of our Director of Corporate Privacy, Richard 
Purcell. We have been actively involved in coalitions such as getnetwise.org, which 
focuses on building a safer web for our children. Elsewhere in the company, we are 
developing futuristic technological tools that have the potential to ultimately trans- 
form how online privacy protection is delivered to consumers. Today, I would like 
to discuss with you the exciting work being done by out Internet Explorer team, the 
team that is developing the next version of our browsing technology, Internet Ex- 
plorer 6.0. 

Because the web is increasingly important in people’s lives, one of the issues cus- 
tomers raise with us more and more is their desire to know that their privacy is 
being protected when they go online. When we receive such feedback, we attempt 
to the extent possible to incorporate features that meet this demand and that give 
consumers better control of their personal information. In the end, it’s our job to 
build software that delights our customers. Because of consumer demand, Microsoft 
currently has about 25 people working on the privacy protections in Internet Ex- 
plorer. 


internet explorer 6.0: tackling online tracking 

When we talk to our customers, one of the questions they raise most often is 
whether their web surfing activities can be tracked. It is an issue that the Microsoft 
Internet Explorer team has been working to address for about eighteen months now. 
Tracking or profiling is the practice of collecting a profile or history of a user’s ac- 
tions across a web site or series of sites. When combined with “personally identifi- 
able information,” such as name, address, phone number or other identification, 
whoever collects this profile can market or target advertising or other services spe- 
cifically to a customer. 

Much of the online tracking you hear about comes through the use of “cookies,” 
small benign pieces of information that a web site stores on an individual’s com- 
puter. It is important to note that cookies in and of themselves are neither good 
nor bad. Without cookies, the web wouldn’t work as people expect it to. There would 
be no customization, no e-commerce and the economics of the web would be called 
into question. However, consumers should still be in control of this technology. 



85 


Since most online profiling comes through the use of cookies, Microsoft has been 
concentrating its privacy protection mechanisms in Internet Explorer around cookie 
management features, which we have designed to enhance notice and choice of the 
information practices of the web sites that consumers use. Based on our experience 
with a series of test versions of Internet Explorer and our work with the World 
Wide Web Consortium’s (the “W3C’s”) Privacy Working Group, we believe that the 
next version of Internet Explorer — IE 6.0 — will take significant strides in protecting 
consumers’ privacy. 

One of the most challenging things about building software for tens or even hun- 
dreds of millions of people all around the world is that it needs to work in a way 
that provides the protection consumers want, but without disrupting or slowing 
their web browsing experience. In some of the earlier test versions of privacy protec- 
tions in Internet Explorer, we found that consumers were actually frustrated with 
tools that popped-up questions or prompted the consumer every time a cookie might 
be used for tracking purposes. It turned out to be too burdensome and confusing 
for consumers to understand exactly what was going on behind the scenes on their 
computers. 

From the significant usability tests that Microsoft does, we know that if you con- 
stantly pop-up privacy questions, users either disregard them or perform whatever 
action is necessary to make these pop-ups go away. Obviously, this behavior under- 
mines the goal of protecting the user more thoroughly. So we’ve been working to 
create a solution that helps consumers to control cookies. And we’ve been especially 
focused on so-called third-party cookies that can be used to track your activities 
across sites — that is, cookies that come from a party other than the site a consumer 
is visiting. Our tools help consumers better understand the source and purpose of 
the cookie, thereby giving the consumer more control over whether it is accepted or 
rejected. Our tools also offer a default level of privacy protection that is greater than 
exists on the web today, so that out of the box, users of Internet Explorer 6.0 enjoy 
protections they currently do not have. 

PROTECTING PRIVACY THROUGH INDUSTRY STANDARDS 

Before we get deeper into the details, let us focus on the role industry standards 
have played in getting us to where we are today. As our engineers were examining 
the best path to take to control cookies through Internet Explorer, we were simulta- 
neously working with the World Wide Web Consortium on a technical standard 
called the “Platform for Privacy Preferences Project” or P3P. The goal of P3P is to 
provide a common language for a site to describe its data practices — such as what 
data the site collects, how the site uses it, who gets access to it, how long the data 
is retained, what consumers should do if they have a privacy complaint, etc. The 
common language helps web sites describe the important aspects of their informa- 
tion practices according to a standardized road map. 

P3P also provides a mechanism for a site to provide a machine-readable version 
of its data practices. The grand vision of P3P is that once sites code their privacy 
policies according to the standard, and consumers have PSP tools in their hands, 
consumers can automatically match their individual privacy preferences against the 
practices of the web sites they are visiting. If the web site satisfies the consumer’s 
preferences, the consumer enters the web site without incident. If the site does not 
match the individual’s personal setting, the consumer at least is warned of that fact 
before proceeding. 

In Internet Explorer 6.0, we take a significant first step in promoting adoption 
of the industry’s P3P standard by both web sites and consumers. By providing a de- 
fault level of protection out of the box, we are creating incentives for web sites — 
and especially those that use cookies in a third-party fashion — to code their privacy 
policies in the P3P language. These incentives will exist because we anticipate that 
millions of web surfers will choose to upgrade to IE 6.0 in the near term and will 
automatically get the protections IE 6.0 offers. 

USING P3P IN INTERNET EXPLORER 6.0 

Again, based on our earlier research, consumers want to be able to automatically 
control the use of cookies based on the data practices of the site sending the cookie. 
The use of PSP technology to help solve this online tracking problem is a natural 
fit. 

How will this work? You can actually test these tools now by downloading the 
public beta version of IE 6.0 at www.microsoft.com ! windows ! ie. But to go through 
them quickly, here is an overview. By default, in order for third-party cookies to be 
set to a consumer’s computer, a third party that collects personally identifiable in- 
formation must indicate, via a P3P-compliant mechanism, that the site offers “no- 



86 


tice” and “choice.” By notice, we mean that the site provides the consumer a ma- 
chine-readable privacy policy in P3P format, which clearly states the information 
collection practices of that party. If there is no notice, third-party cookies from this 
site are blocked automatically by IE 6.0. 

By choice, we mean that if a web site is reusing a consumer’s personally identifi- 
able information, then it must allow the consumer to “opt out” of or “opt in” to that 
data reuse. If personal information is being reused, and consumers don’t have choice 
around that use, then the cookies from that third-party web site are blocked. This 
approach tracks the arrangement established last summer between the Federal 
Trade Commission and prominent web advertisers. The core of that arrangement is 
that a company that tracks users across sites, at a minimum, must provide notice 
of that practice and the choice of opting out of it. 

To help consumers understand the concepts of notice and choice, the first time a 
consumer connects to a web site whose privacy practices do not match the default 
setting in Internet Explorer 6.0, an informational dialog-box appears. This box at- 
tempts to educate the consumer about a new “red eye” privacy icon that appears 
at the bottom of the browser window and what this icon means in light of the user’s 
privacy settings. Then, with Internet Explorer 6.0, as users browse other sites that 
attempt to set cookies but do not meet their privacy settings, the red-eye will re- 
appear, alerting the consumer to potential privacy issues. 

While we have taken care to establish what we believe is a workable default set- 
ting, we’ve provided a sliding-scale feature that allows consumers to easily change 
their privacy settings. With a single click, consumers can change the default setting 
to higher privacy settings, which have more stringent requirements for the use of 
privacy policies, or to lower settings, which are less stringent. For example, the 
“high” setting requires all web sites, both first and third-party, to obtain explicit 
(opt-in) consent before the reuse of personal information. We additionally have a 
feature that allows almost infinite customizability of the privacy settings, and we 
have an “import” function that allows the consumer to download a third party’s pri- 
vacy settings (which, for example, may have default settings different from IE 6.0) 
and insert them into the browsing technology. 

This is just an overview of our technology’s features. We are happy to visit with 
any congressional office to review the tools in greater detail. 

OUR OTHER EFFORTS TO PROMOTE P3P ADOPTION 

I also want to mention the fact that, in the run-up to the release of IE 6.0, we 
are actively encouraging web sites to deploy P3P-compliant privacy policies. 
Through our ongoing work with the top 100 sites on the web, and with the work 
that the Internet standards body is doing, by the time that Internet Explorer 6.0 
launches this fall, we hope to see significant deployment. We’ve also developed what 
we call a “Privacy Statement Wizard,” an automated privacy statement generator 
that can help smaller sites become P3P-compliant by creating policies simply based 
on the site’s answers to a series of questions about its practices (subject, of course, 
to legal review by the site’s lawyer). The statement generator is currently available 
at http:! I microsoft.com I privacy I wizard. It also will soon be available at Microsoft’s 
small business web portal, at http: II privacy.bcentral.com. 

PUTTING IE 6.0 IN PERSPECTIVE 

Since P3P is an open standard, not controlled by Microsoft in any way, we believe 
that other companies will develop additional privacy-enhancing technologies that 
will also interact in an automated fashion with sites that have posted P3P-compli- 
ant privacy policies. In fact, we’ve already seen the emergence of tools that provide 
analysis of P3P policies, as well as search engines that only return hits from sites 
that follow P3P guidelines. Over the long run, we hope to see widespread adoption 
of P3P by the web community, as well as increasing consumer understanding of the 
power that P3P tools put in their hands to enhance — and customize — their privacy 
protection. We believe strongly that P3P is an empowering technology and that it 
can address in a simpler way the complex questions around consumer preferences 
and the articulation of sites’ privacy policies. 

We do not believe that the work we’ve done in IE 6.0 to enhance consumer privacy 
is a silver-bullet solution, but we do believe it is a significant positive step — showing 
that technology can play a critical role in addressing consumers’ online privacy con- 
cerns. We believe we have done work that consumers want and that will delight 
them. We also believe that allowing individuals to control their own personal infor- 
mation is an important, enduring mission for Microsoft. It is an ongoing process, 
and not just a single, all-encompassing step. We take it seriously because our cus- 
tomers do. Finally, we believe that these first steps to include serious privacy pro- 



87 


tection in Internet Explorer will lead to positive cooperation in the industry around 
this topic and will result in a better Internet and a better economy. In the future, 
we at Microsoft expect to do additional work in this area, using P3P or other tech- 
nologies, and we would be happy to keep you abreast of those efforts. 

Again, thank you for allowing me to be with you today, and all of us at Microsoft 
look forward to a continuing dialogue. 


Industry’s PSP Standard Can Help 
Put Users in Control Online 



"Machine 

The vision; Before the Web page is Readable" 
displayed, the Web site and user's ^tement 
software determine whether there is 
a "match" between the site's practices 
and the user's preferences 


88 



89 




90 



91 



92 




93 




94 




95 




96 


The Chairman. Very, very good. 

Senator Wyden. 

Senator Wyden. Thank you, Mr. Chairman. Mr. Chairman, I 
think it has been excellent hearing. It has really been a 3-hour 
teach-in on privacy and what it is going to take to get this done. 

Gentlemen — and let me start perhaps with the Earthlink, Ama- 
zon, and Microsoft witnesses. The reason I asked about Eli Lilly 
really 3 hours ago is that I am concerned that we are headed for 
an Exxon Valdez of privacy. That was a very serious problem with 
Eli Lilly, but I think with the bad actors that all of you have told 
me exist out there in the private sector, that we are headed for 
something far, far worse. If that tragedy takes place, you will not 
like the legislative response that comes from the U.S. Senate, just 
as sure as the night follows the day. 

So my question to you is: Given the fact that you have really one 
chance for one standard, one chance to get a preemption bill, what 
would you all at Earthlink, Amazon, and Microsoft want in terms 
of your efforts to try to work with us to see if we can get you some- 
thing that is reasonable? Let’s start with the Earthlink folks, then 
Mr. Misener, and then Microsoft. 

Mr. Seagraves. Senator, what we are looking for is something 
that gives our customers the information they need to make in- 
formed choices. The components of that would be something that 
is simple, something that allows technology to step in, and some- 
thing — or legislation that actually does something, that gives them 
and promotes good information given to customers. 

Senator Wyden. So, in effect, what you have just said is if the 
bill has the elements of the Federal Trade Commission legislation 
and they would be binding and enforceable, that would be some- 
thing you would support if you could get preemption in return. 

Mr. Seagraves. I think you could basically codify the FTC guide- 
lines, have the FTC enforce them. We could live with that. 

Senator Wyden. Good. Amazon? 

Mr. Misener. Senator Wyden, that is an excellent admonition to 
us in industry as a matter of sort of legislative strategy. We al- 
ready comply fully with the requirements of your bill. OK. Ama- 
zon.com is already doing this pro-privacy, notice, choice, access, and 
security on our own in response to our customers’ demands and de- 
sires, and so we are very proud of that, and we certainly could live 
under the requirements of the bill that you and Senator Burns in- 
troduced in the 106th Congress. 

All I have said and all Amazon.com has indicated is that there 
is no inherent need for legislation, because we believe the market 
is already driving companies like Amazon 

Senator Wyden. But how do you deal with the bad actors? See, 
that is the point. The fact is there are a lot of people out here who 
don’t work closely with Chairman Hollings and Senator McCain 
and come to hearings that examine this, and those are the kind of 
people that I think are most likely to produce that Exxon Valdez 
and do a great deal of damage to the good work that you all have 
done. You all have worked too hard at building up the credibility 
of this industry to lose it for some bad actors, and that is why you 
need a piece of legislation. 



97 


Mr. Misener. Senator Wyden, you make some very compelling 
points, and I have to say that the points are so compelling that we 
will continue to examine them going forward. I will say, though, 
that the incident with Eli Whitney is unlikely to be prevented by 
the sorts of legislation we are talking today. It was an inadvertent 
mistake. It is not forgivable in many senses, but the legislation 
alone won’t bar it. 

Second, the bad actors 

Senator Wyden. Just so you know and the record is clear, no bill 
is ever going to bar accidents. The reason I asked the question — 
and I think the answer was good — is we would like to reduce the 
risk, and I am convinced that well-written privacy legislation can 
reduce it. I interrupted you. 

Mr. Misener. That is quite all right. I just want to conclude by 
saying that the bad actors that are out there are going to lose in 
the marketplace. We have well over 30 million customers who have 
said that we have good privacy policies. They have come to us, and 
they feel comfortable with us. They trust us. We believe those bad 
actors will lose out. The little ones that are out there, I think it 
would be very difficult to enforce against in the first place. There 
it is. Senator. 

Senator Wyden. But once the bad actors have damaged the 
credibility of your work and harmed a lot of people, it is going to 
be too late to put the horses back in the barn. 

Mr. Misener. I fully agree. Senator, and there happens to be a 
history in Washington of companies who have done good things, to 
come to Washington and ask for legislation that essentially mimics 
them so that we erect — so that Government erects high barriers to 
entry, so the competitors can’t come in and compete with those 
companies like Amazon.com who have done the right thing. We 
simply have tried to be more pure than that and not ask for that 
kind of preemptive legislation. 

Senator Wyden. We are going to go at this in a way — and you 
have heard it from both sides of the aisle — that is not going to 
freeze technology, and we have worked with you enough to know 
that I feel very strongly about that. 

Microsoft? 

Mr. Rubinstein. Senator Wyden, if I might just briefly follow up 
on two comments that Mr. Misener made and then directly answer 
your question about legislation, first on the question of accidents, 
I agree with both of you, that legislation itself is not in a position 
to prevent accidents and the Lilly situation seems to have been a 
mistake rather than some intentional act. 

Second, on the question of bad actors, I think there is no such 
thing as 100 percent compliance. We haven’t heard much about 
self-regulatory efforts in this hearing, but let me just mention one 
point which is that the reach of organizations like Trust-E and 
other CL organizations is growing and is significant. Let me give 
you a few statistics. Trust-E is now at 2,000 licensees, which is 
about 50 percent growth over last year. Seven of the ten top web 
sites by traffic are Trust-E licensees; 50 of the top 100 sites are li- 
censees. And these licensed sites reach about 145 million web 
users. So the reach of the self-regulatory organizations is not small 
today. 



98 


On the question of legislation directly, like — ^Amazon described a 
bill that is representative of the principles that a number of major 
industry trade associations have articulated for acceptable legisla- 
tion, and Microsoft does not oppose legislation per se, and we have 
been in many of your offices to, you know, review and comment on 
bills that have been introduced. 

But like many in industry, we believe that Congress needs to 
move very deliberately and very cautiously on this question, both 
because it is complex and in order to avoid either harming the 
Internet industry, which is still in its early stages despite some of 
the comments about legislation being introduced early. Yes. The 
Telephone Act was introduced in 1936 with privacy legislation, but 
the telephone was introduced in the 1890’s. 

Senator Wyden. Can I just ask one other quick question? 

The Chairman. Surely. 

Senator Wyden. Thank you, Mr. Chairman. 

Just one question about P3P, if I could, Mr. Rubinstein. What is 
it going to take on the enforcement side to make P3P work, be- 
cause it is very clear that this is useful product. I share Senator 
Kerry’s view in that regard, and it is going to be particularly help- 
ful because it is going to help consumers determine what a web site 
says it is going to do, but then if web sites say one thing and then 
do another, we have got an enforcement issue, and Senator Hol- 
lings has given me this extra time. 

Could you just tell us how envision this enforcement scenario 
going forward? 

Mr. Rubinstein. Yes. I think that is a very good question, and 
you are alluding to the fact that P3P by itself provides no informa- 
tion about a site’s practices but only its policies, and I think that 
is true of any technological means for understanding what a site 
does. There is no way of measuring practices through the inter- 
active medium of the web. 

What I think that P3P may be able to provide going forward, 
however, is additional information, for example, about whether a 
site is a subscriber of Trust-E, has been audited by one of the Big 
Five accounting firms that does that kind of auditing, and users 
may well want to set their P3P preferences so that they only do 
business with sites that so indicate, and I think it can provide 
greater transparency about enforcement, but there is no way that 
it could ultimately be a mechanism to demonstrate, you know, 
practices at the moment. 

Senator Wyden. Thank you, Mr. Chairman. 

The Chairman. Thank you very much. 

Senator Allen. 

Senator Allen. Thank you, Mr. Chairman. First, I want to com- 
ment you, Mr. Chairman, for an outstanding and very balanced 
panel, two panels of witnesses. This is an issue of great interest to 
me and on the Republican side, chairing the high-tech task force, 
some of these folks we heard, and trying to find some balance and 
logic if government action is going to go forward — and I think there 
will probably be some, but let’s make sure it is the most beneficial 
and not anything to thwart the advantages to our life and our edu- 
cation and information afforded by the Internet. 



99 


I would like to follow up on Senator Wyden’s comments. He 
asked many of the questions I would, as well as what Senator 
Kerry mentioned. I very much agree with the thoughts and proc- 
esses through there, and in listening to the various witnesses here, 
and I do think it is very important as we go forward that we do 
make that distinction between the different types of information, 
whether that is medical information, health-related information 
versus financial versus regular consumer information. 

And I do think we need to look at each of those categories dif- 
ferently for the levels of protection that people should get from the 
Government versus the other view of the libertarian view which is 
generally mine of caveat emptor and making sure people are in- 
formed, knowledgeable, and they make those decisions and are re- 
sponsible for the consequences. When you get to health information 
or privacy in financial, that is a different situation. We do need to 
have protection, stronger protection there. 

Now, Mr. Catlett mentioned that since the Internet, this mode of 
information or communication is different than the mail or the tele- 
phone, but you still use the same principles in applying those basic 
principles to however the regulations would be. And, indeed, the 
privacy bills that have been introduced over the years, the way I 
have looked at them, deal with only information collected via the 
Internet. But if you look back in history — and I mentioned this a 
few weeks ago. 

I had lunch with some folks from UPS, and when they started 
off, one of the key things for them getting business was to make 
sure when shipping packages from Macy’s, they wouldn’t let 
Gimbel’s know what they were shipping, and Gimbel’s wouldn’t 
know what — vice versa, Macy’s and Gimbel’s. 

And so when you hear Mr. Seagraves talk about Earthlink and 
what you are doing in trying to get a market niche that way and 
getting more consumers or customers because of what you do, that 
is responding to market forces; the same way with Amazon.com. 
Microsoft’s involvement in all this is trying to come up with some- 
thing that they hope consumers will want. And so here you have 
an example of various enterprises that are responding to the de- 
sires. You just have these polls, people concerned about privacy and 
misuse of information, abuse of information. 

These three enterprises are all trying to respond to consumer de- 
mand, and I want to commend you all for that, and you will be a 
model, I think, for us, and it was very interesting. I was taking 
notes as to the different views that you would have as far as notice 
and choice, preemption, online, offline distinctions, but you gen- 
erally don’t think there should be distinctions, and as far as legal 
aspects of it, so I think that what we need to do is listen to the 
creative technologists and listen also obviously to those in the pri- 
vate sector and make sure that we don’t do something that thwarts 
your industry. 

However, the technology or e-commerce industry is going to need 
to come up with these ideas for you to grow. Otherwise, I think it 
will thwart the growth of e-commerce and the use of the Internet 
if people are fearful that their information, their personal data, will 
be misused or be subject to spamming and other aggravations in 



100 


people’s lives. There are things that are more than an aggravation, 
but an infringement that we don’t think is appropriate for it. 

So I would only conclude by asking this question, following up on 
what Senator Wyden asked of Mr. Rubinstein, and that is: In the 
event under P3P that someone — ^you were talking about. Here is 
their policies; their question is their practices. And, again, com- 
mending all of the entrepreneurs here and their companies, but in 
the event that their practices don’t comply with their policies, what 
laws currently apply? Would consumer fraud? Would fraud? It is 
clearly a violation — I would think some sort of a violation, a mis- 
representation. What current laws would apply to a company that 
as a practice knowingly violates the policies that they set forth to 
the public as far as privacy is concerned? 

Mr. Rubinstein. Senator, the situation you described seems to 
clearly invoke the FTC’s jurisdiction under Section 5 of the FTC 
Act. P3P presupposes that a site is presenting its policies in a writ- 
ten statement, and if it misrepresents its practices based on that 
policy or it deceives its customers, then it is clearly subject to FTC 
enforcement action. 

I think further, going back to my point about P3P also being 
used to identify which sites are enrolled with Trust-E or other self- 
regulatory organizations, if such a site was subject to an FTC ac- 
tion and found to have engaged in illegal conduct, it would have 
to lose its Trust-E or BBB Online seal, and that would have to also 
be reflected in its privacy statement, so that P3P tool would even- 
tually detect that. 

Senator Allen. Thank you. That answer fits into what Senator 
Kerry — one of the various points you were making Senator Kerry 
is that in this legislation, I think it would be advisable to make 
sure that we put in the legislation, at least cross-references if not 
the complete replication, of all the existing laws that do apply, a 
variety of areas. You were talking about in your past experiences, 
the mistake not making sure that you listed a lot of different stat- 
utes which already do apply, but I think it is important for folks 
to understand that they are not without recourse with some of 
these ideas currently. But I think maybe those can be embellished 
or reinforced in such legislation. 

My time is up, but, Mr. Chairman, again thank you for this very 
balanced and informative discussion here for our Committee. 
Thank you. 

The Chairman. Thank you very much. 

Senator Kerry. 

Senator Kerry. Thank you, Mr. Chairman. 

I thank the witnesses for their comments. Let me mention that 
our legislation will have some pretty strict fines and penalties 
under the FTC jurisdiction, and there is a clear FTC enforcement 
mechanism that may need to be strengthened. 

Mr. Rubinstein, if I could just ask you. Looking at your handouts 
here for a moment, if I were to have come in under your new — 
under the 6.0 that is coming out, if I went to this web site for 
CNBC, Wall Street Journal, will there be an automatic pop-up of 
this window as I see it, or do I have to go down and hit the icon 
down here in the bar? 



101 


Mr. Rubinstein. That is a very good question. The way we have 
designed IE6.0 is that this window pops up the first time a user 
visits a site where its privacy settings don’t match the site’s poli- 
cies, but it does not pop up every time. When we first began experi- 
menting with cookie management and with P3P in an earlier 
version of the browser, Internet Explorer 5.5, we used that type of 
approach, and even myself, experimenting with that beta version, 
the first time I connected to a site that I go to almost daily, I got 
40 pop-up screens, and like any other user, I quickly turned the 
feature off. 

So we were particularly concerned about not bombarding users 
with repetitive warnings or notices that would either distract them 
or lead to a disinterest and thereby really undermine this whole 
chicken and egg issue of how you get — they are deployed. 

Senator Kerry. But the first time I were to go to any particular 
web site, whether it is informational or transactional, you are say- 
ing that the window itself would pop up. 

Mr. Rubinstein. Well, let me be very clear about this. This win- 
dow pops up — we call it a first-time user experience. It is not going 
to pop up at every new web site you visit. It is going to pop up the 
first time you visit a web site where there is a mismatch between 
your setting, which is going to be the preinstalled 

Senator Kerry. Right. That is under the PSP. 

Mr. Rubinstein [continuing]. Default setting. And what this 
tries to do is then immediately educate you at this point when you 
first see it as to, you know, what this icon means, what cookies are, 
what the medium default setting represents. If you are then satis- 
fied with that setting, this screen won’t pop up again, but if there 
is a mismatch at some other web sites, the red eye icon will pop 
up. 

Senator Kerry. Pair enough. So the first time, in effect, the first 
time you are user, then, of your new program 

Mr. Rubinstein. Yes. 

Senator Kerry [continuing]. Effectively and you go to a site, you 
are going to be given the opportunity on that first use to click in 
the settings you want, and among those settings is the opportunity, 
I notice, to block all cookies. 

Mr. Rubinstein. Yes. And there are also — there is a button for 
advanced settings which allows some other interesting capabilities, 
namely you can block or accept all cookies from a particular web 
site, so if you distrust a particular web site, you add that to your 
list of blocked sites, and if you like a particular web site, you can 
say, “Don’t ask me again about that site, because I am comfortable 
with them”. 

Senator Kerry. In effect, you are really giving — and I am not ad- 
vertising for you, but it seems to me a fairly complete, broad set 
of choice. I mean, if we are looking at the choice application here, 
this is pretty broad consumer choice. You can actually set in — I 
mean, this is opt-in and opt-out simultaneously. 

Mr. Rubinstein. I guess it is opt-in with respect to the settings. 
I don’t want to oversell it. 

Senator Kerry. Well, I am not trying to — I don’t want to over- 
characterize it either, but I am trying to understand it properly . 
I mean, it seems to me that if I can — if I 



102 


Mr. Rubinstein. I would have to say, Senator — I am sorry to in- 
terrupt, but I would have to say that it is opt-out, because it shifts 
with the default setting, and unless the user changes that 

Senator Kerry. I see. Unless you change the setting, you are 
automatically stuck with the cookies. 

Mr. Rubinstein. Well, you are automatically stuck with the — if 
you will, with the medium setting, and the medium setting, as I 
said in my oral remarks, has two requirements. One is that the site 
has a P3P policy regarding cookies, and the second is that it offers 
choice in the form of either opt-in or opt-out for third-party cookies. 

Senator Kerry. Fair enough. Now, that is — what does this say 
to us about the P3P? I mean, if you don’t have P3P out there, this 
isn’t going to work. 

Mr. Rubinstein. If — well, that is correct. If a site doesn’t have 
a P3P policy, this doesn’t work in the sense that the full level of 
information that might otherwise be available, as well as all of the 
features that might be available, aren’t there, but if a site doesn’t 
have a compact — a P3P policy, the red eye will appear. 

Senator Kerry. Immediately. 

Mr. Rubinstein. So what we are hoping to do is to incentivize 
sites to deploy P3P policies in order to avoid having that red eye 
appear, and we have also developed tools, as have other companies 
like AT&T, called privacy statement generators, and these are 
automated ways of generating a P3P policy. They are very easy to 
use. You fill in a questionnaire online, and it spits out a policy 
which a site ought to have its own privacy officer or in-house coun- 
sel review, but it makes deploying these compact policies very 
straightforward and very easy. 

Senator Kerry. Now, Mr. Misener and Mr. Seagraves, let me ask 
you a question. There is sort of increasing discussion among var- 
ious companies and players within the Internet world, and you cer- 
tainly see it behind the scenes, and you see it in some of the trade 
discussion, that opt-in may not be as critical as some people origi- 
nally thought, opt-in versus opt-out, and that, indeed, perhaps even 
the sort of advertising fears that people had are now not as ger- 
mane, simply because some people are questioning whether or not 
that model is working at all. 

Would you like to comment on both of those observations; the no- 
tion that there seems to be maybe an increasing acceptance within 
the industry that this is not as key as some people though it was 
originally? And also would you comment on whether or not adver- 
tising appears to be as much a concern as people had, because 
maybe the marketplace has made that decision or is giving strong 
indicators about it at this point in time. 

Mr. Misener. Senator Kerry, thank you. In Amazon. corn’s view, 
the important thing is always to provide our customers meaningful 
choice, and without trying to characterize it in all instances as ei- 
ther opt-in or opt-out, it should always be meaningful. I mentioned 
before in my testimony that Amazon.com, in its effort to provide 
our customers that kind of meaningful choice, often provides what 
we would call opt-in choice, in other instances provides what we 
would call opt-out choice. The importance is it is meaningful. 

For example, when you go to our ToysRUs.com co-branded site, 
which provides some toys for some of our customers, you go there. 



103 


and Geoffrey the Giraffe from ToysRUs is sitting — there is a little 
picture of him sitting inside an Amazon.com box. It is very clear 
in just that little picture what is going on here. There is a 
ToysRUs.com product being delivered by Amazon.com. 

And there is a whole bunch of wording around it as well that ex- 
plains what exactly is going on there, but that is far more mean- 
ingful for the vast majority of consumers out there than having to 
read some words about policy. We have told them in this little pic- 
ture instantly: this is a ToysRUs product being delivered by Ama- 
zon.com. We thought that was much more useful and meaningful 
for them than simply providing the words, which we also provide. 

Senator Kerry. Right. But coming back to this whole question 
that Mr. Brondmo raised very clearly and, I think, logically as he 
went through the progression, sort of, who owns this asset. What 
is the asset, who owns it, and what use is it put to, is really the 
issue. And you are sort of going around that in a sense. You are 
saying, “Well, we give this information to them, but that doesn’t 
deal with the secondary marketplace issues of the information”. 

And so I am trying to get at, you know, how critical — I mean, the 
fight here was ostensibly whether opt-in was going to lose people, 
a flow of information that was going to be important to them in 
terms of their revenue stream, and ultimate control of an asset. 
And that is what we are arguing about. 

And my question to you is: Has that changed a bit now? Has this 
marketplace in the wake of sort of the shake out and some matu- 
rity and evolution, has it changed in a way? I mean, Mr. Seagraves 
was talking about the upside benefits of marketing the fuller meas- 
ure of privacy, and I am wondering if you think it has changed. Is 
there some legitimacy to this current discussion? 

Mr. Misener. Oh, absolutely. Senator. I appreciate the question. 
Amazon.com, in its initial privacy policy notice, had indicated that 
it might at some point in the future sell consumer information to 
third parties such as telemarketers. Well, we never did that, and 
we concluded last year that we never would do that, because our 
customers wouldn’t like that, and so we said in our updated and 
enhanced privacy policy last year — we made a pledge that Ama- 
zon.com is not, emphatically not, in the business of selling cus- 
tomer information. We want to protect that customer information, 
because our customers think it is important. 

And you are right. There was this shift where, earlier on, we 
thought we might do that, but we concluded last year that no way 
would we do that. 

Senator Kerry. Mr. Seagraves. 

Mr. Seagraves. Well, as I said, Earthlink does not, you know, 
really fall one way or the other right now, because we don’t — we 
are not asking the customers, because we don’t sell their informa- 
tion. However, that could change so we would need to make a 
choice. Do we want opt-in or opt-out? And I think there is a trade- 
off. 

Senator Kerry. Do you think it makes a difference? 

Mr. Seagraves. I think it does make a difference, and the trade- 
off is this. If you are opt-in, then these are customers that actively 
say, “Yes, we want you to do this”. Then that information is more 
valuable, although you have much less of it. If it is opt-out, you 



104 


have a lot more people that, you know, participate and that will 
give — allow you to use their information. However, it is not as val- 
uable, because basically they may have just been lazy. 

So, you know, I think you need to balance that as far as the par- 
ticular business that you are in. In our case, I think the value of 
the information is mostly in bulk, and the targeted information 
that you get with opt-in isn’t necessarily all that important to us. 

Senator Kerry. Fair enough. Mr. Brondmo, do you want to com- 
ment on that at all? 

Mr. Brondmo. Senator, I think you are keying on something 
very important here, because there is obviously a maturity that is 
happening in the marketplace, and we are learning, and that learn- 
ing has to be brought into any future legislation. 

My learning in this area has been — I can maybe illustrate that 
with a brief example. I worked with a large music retailer a few 
years ago, and the music retailer was very hesitant to take people 
off their lists as they were marketing to people, and we were 
strongly encouraging them to do so, due to an increasing customer 
satisfaction problem they were experiencing. Their rationale was 
very reasonable. It costs us a lot of money to get these people to 
come to our site, to get them into our data base; why should we 
be making it easy for them to get off our site or to not participate? 

Finally they did a test. They learned that it had no substantial 
impact on their business, because the people that didn’t like hear- 
ing from them didn’t mind, but more importantly when they made 
it very clear up front on their web site how easy it would be to get 
off their systems, what they actually found was an increase in sub- 
scription. They found more people coming in and opting in or not 
opting out of the program up front, because they knew it would be 
simple and easy later on. 

Senator Kerry. Now, if there were a prohibition on any 
unconsented transfer of financial information, i.e., credit card or 
personal identifier. Social Security number, and so that all that you 
had conceivably as this asset was a particular purchase, item of 
purchase, series of items of purchase, location of purchase, date, 
time, et cetera, and that was the asset, in effect, is there any harm 
in that transfer, if it were in an opt-out? And is there, in fact, con- 
ceivably a countervailing benefit to a consumer that hasn’t even 
been weighed in this discussion? Do you follow me? 

Mr. Brondmo. I am not sure I do. 

Senator Kerry. Well, for instance, if the asset that a company 
has that it either transfers to one of its subsidiaries or sells to an- 
other company is information about someone’s purchase, but it is 
effectively an almost anonymous piece of information — not com- 
pletely; has their address, has a place, knows what they purchased, 
and therefore, that company wanted to know that, because they 
want to make a secondary solicitation of some kind, is there some 
kind of harm done in that, absent any transfer of any personal or 
financial information, no credit card numbers, no Social Security 
number, no — nothing but the transaction itself, in effect, which is 
supposedly the value people want to hold onto for marketing pur- 
poses. 

My question is: Is there any harm whatsoever to that consumer 
that is different from the harm in the offline marketplace today. 



105 


and is there conceivably an upside benefit to them that hasn’t even 
been weighed in this discussion? 

Mr. Brondmo. Senator, I believe there is potential harm that can 
be brought to the consumer in the scenario you outlined. The pri- 
mary problem is that if I visit Amazon, I might look at a number 
of books. I might leave behind a trail of information which I have 
no problem trusting to Amazon, but if I knew that Amazon would 
turn that around and — let’s for a moment say that I had political 
ambitions, and Amazon would sell that information to anybody who 
would pay $1 to buy it, and all of a sudden somebody could come 
in and look at what books I had bought, what research I might 
have done, maybe books that didn’t necessary reflect my opinions 
or my position, but that information being available, I believe that 
that could potentially be very sensitive information. 

I also believe, by the way, that Amazon would be undermining 
their own business by giving that information away, because that 
is an insight into my relationship that I have developed with them, 
which is a key competitive advantage that they have over their 
competitor, and they should not be selling that information. 

Senator Kerry. But that information is available today in the 
offline world and even worse is available today. I mean, look at 
what happened to Justice Thomas in his confirmation process. We 
learned what Monica Lewinsky’s videos were, I do believe. I mean, 
we have had, you know — offline world, you can do that today. 

The Chairman. You don’t think we can regulate it, do you? 

Senator Kerry. That’s my question. 

Mr. Brondmo. Well, Senator, that does not change my opinion 
with respect to the online behavior. 

Mr. Misener. Senator Kerry, you are absolutely right. Just to 
answer, of course, Amazon.com does not do what was discussed just 
a moment ago. It does make little sense, however, to enact a law 
or put in place a regulation that would only govern one medium. 

Senator Kerry. Well, I agree. This is the point that I have been 
making for some period of time on this Committee, that if the right 
of privacy is what we are talking about, it seems to me that if you 
are providing adequate protection for the flow of financial informa- 
tion, et cetera, if it is the marketing concept, that is available in 
any number of ways, through credit bureaus. I mean, the informa- 
tion that appears on people publicly in America today is stunning. 

And there, you know, it seems to me we have got to look at this 
considerably differently or more broadly, I suppose, is the way to 
phrase it. But, I mean, would Amazon — would somebody be able to 
find out — Senator Rockefeller was asking me that in a private con- 
versation. I mean, if, for instance, somebody went in and had a 
whole series of books that they got because there was a particular 
family crisis going on or someone was sick with a particular dis- 
ease and they start — all of a sudden they have ten books on a par- 
ticular subject, would those books then be traceable, and therefore, 
they will be suddenly solicited by therapists or psychiatrists or a 
whole bunch of people because they seem to have an inkling that 
that is an area those folks are now concerned about? 

Mr. Misener. Absolutely, emphatically not. Amazon.com will not 
share that sort of information at all. We will share in certain cir- 
cumstances information resulting — or applying to a particular 



106 


transaction, e.g., a purchase of wireless services through our wire- 
less services store, but only in an opt-in circumstance. The wireless 
store does not get, for example, information about the pots and 
pans that I may have purchased or the books that I may have pur- 
chased, only resulting from that, but again that is an opt-in cir- 
cumstance. 

Senator Kerry, you are right on point, because 99 percent of the 
retail transactions in this country last year were done offline, so to 
the extent we apply a new law only to the online world, we are 
only touching a very tiny percent, and those transactions are only 
those made by those fortunate enough to be on the fortunate side 
of the digital divide. Those who aren’t get none of the benefits. 

Senator Kerry. And what do you say to people who distinguish 
the online world because of its interconnectedness and capacity to 
conglomerate transactions which doesn’t occur when you walk indi- 
vidually into a particular store? 

Mr. Misener. It is a good question. The capacity to conglomerate 
is not inherent only to the online world. The data bases exist no 
matter where you are. In the offline world or wherever, those data 
bases, that information about you, generally far more sensitive in- 
formation than Amazon.com would ever collect, exists in the offline 
world. To the extent there are differences — and I think there are 
some, but they are very limited — to the extent there are dif- 
ferences, for example, third parties tracking you around a site, leg- 
islation at that point would be something that could be appro- 
priate. Amazon.com bars that. 

We do not allow third-party cookies to be served on our site for 
that very reason. We don’t think our customers should be subjected 
to that sort of thing. That is different from the offline world. But 
where there are similarities, information collected, information 
used for marketing purposes, then it ought to be treated the same. 

Senator Kerry. Well, I thank you very much. It is obviously a 
very important area. I just want to emphasize again, for the benefit 
of where we are heading here with the Chairman that I think he 
is right on target in terms of where we need to be and being very 
declarative on the medical and the financial and so forth. And I 
think we need to sort of sort through the other components of this 
that we have discussed today. 

Mr. Chairman, this has been a good hearing, and I thank you 
very, very much for your leadership. 

The Chairman. I thank you very much. Senator. It has been an 
outstanding hearing. I have learned a lot, and it strikes me that — 
and you can always get in trouble thinking out loud, but there is 
no question that we have got to legislate, but we have got to legis- 
late cautiously. So in the sense that we legislate cautiously, some 
would legislate, as others have introduced bills last year with opt- 
out alone, or the FTC guidelines which are optional, and neither 
approach has worked. We tried that with the banking bill, and 
that’s a big uproar as the witnesses testified, that it is not working. 

So you look at the best of the best, namely Microsoft that opts 
in for our opt-in, and Schwab, the best of the best analysts, busi- 
ness-wise says it’s not really that much of a burden; in fact, it is 
a good business practice. And you find just that. The best of the 
best thinks they make money out of privacy, namely P3P, and oth- 



107 


erwise, you have already joined in to the European safe harhor, 
and as an American politician, I am saying to myself, “Well, can’t 
I give the American citizenry an equal protection as those citizens 
in Europe”, unless there is something wrong with that safe harhor. 

Is there anything wrong with that safe harbor that you know 
about, Mr. Rubinstein, that you want the Committee to know 
about? 

Mr. Rubinstein. Well, I do want to comment on the safe harbor. 
Microsoft and some hundred other multinationals have signed up 
to the safe harbor, but I think we should be very clear about what 
the motivation is. 

The Chairman. Well, I know the motivation. You all want to do 
business in Europe. Go ahead. 

Mr. Rubinstein. Well, that is exactly correct. 

The Chairman. Sure. 

Mr. Rubinstein. As a multinational, we are bound to comply 
with European law. 

The Chairman. Whoopee. That’s right. We are in a global econ- 
omy. Every time you mention something around here, some politi- 
cian jumps up and says, “Well, this is a global economy. OK. So 
we can pass that point”. 

Mr. Rubinstein. But if I can offer an analogy, Erance has laws 
regarding the use of Erench language on web sites operated in 
Erance. The fact that Microsoft complies with those laws does not 
in any way apply that we advocate English-only web site laws in 
the United States, so I don’t see 

The Chairman. But you have, on the opt-in, you have opted in. 
Microsoft favors opt-in. 

Mr. Rubinstein. We favor opt-in in an evolving business model, 
namely what we call our Hailstorm Services that are premised en- 
tirely on two things. One is identity management, so those services 
are all about the most sensitive and personal information, and No. 
2 — and I think this is the theme that has been reflected in all of 
the comments today — those are subscription-based, fee-paying serv- 
ices. They are not free web content or free services, and in that 
context, we do not favor opt-in legislation at all. 

The Chairman. Well, that is the fundamental question. What is 
sensitive? Medical, personal medical and personal financial. Right? 

Senator Kerry. Chairman, can I mention 

The Chairman. Yes. 

Senator Kerry. Chairman, I just wanted to say that I ap- 
proached this with — I was on the conference Committee, on the 
Banking Committee on the Gramm-Leach-Bliley, and I voted then 
and we lost on the more stringent opt-in requirements, and we 
have seen the results of that. So I think there are some lessons we 
can draw from both the maturity of the industry, but also from 
what has happened in terms of the regulatory application process. 

So I hope, Mr. Chairman, we can — I think there is room — I 
thought there was a lot of sense of possibilities and wisdom from 
both panels about the capacity to sort of combine the pieces here 
and try to draw some distinctions between the areas of sensitivity 
and the commercial side, and maybe we can do that. 

The Chairman. Oh, yes. We are going to do it very cautiously, 
but I hope we can get something done. What happens is that we 



108 


have got to look into that matter of preemption and perhaps with 
the states, let them operate upwards on that score. And otherwise 
there will be a debate and probably a difference of opinion with re- 
spect to the private right of action that Mr. Misener absolutely op- 
poses. 

Mr. Misener, what we have found from hard experience — we had 
a hearing just last year with respect to the Firestone tires, and the 
National Highway Safety Transportation Administration, NHSTA, 
and we asked the Secretary — we had 99 million recalls in the past 
3 years. This was last year’s hearing, and we asked the Secretary 
of Transportation how many had been required by NHSTA. Zero, 
none, in the 99 million recalls. They were all done on account of 
the Pinto case. 

And everybody knows that — in fact, we only found out about the 
bad tires from personal causes of action and some 200 deaths. That 
is how it came to our — I never had heard about it happening in 
South Carolina or anywhere else until we found out people were 
dying in Saudi Arabia, dying down in Venezuela, and they had 
been given notice and everything else like that, and now we find 
out we had 200 in this country. 

So that is why we even consider a personal cause of action. 
Somebody thinks, well, this is all lawyers and trying to get lawyers 
cases and everything else of that kind. What we are trying to do 
is go in in a deliberate fashion, and as Mr. Seagraves says, not 
produce a regulatory mine field and not overreact. Nobody is vin- 
dictive about it. And you folks have been unusually helpful to this 
Committee. We will probably have perhaps another hearing, but 
we are going to work it out. 

And we will leave the record open for any further questions by 
either the members that could not attend, and otherwise for any 
comments and further information you would wish to finish the 
Committee. The hour is late. The lunch is ready. Thank you all 
very, very much. 

The Committee will be in recess until the call of the Chair. 

[Whereupon, at 1 p.m., the hearing was adjourned.] 


O 



